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Abstract. The paper develops techniques in order to construct computer 
programs, pseudorandom number generators (PRNG), that produce uniformly 
distributed sequences. The paper exploits an approach that treats standard 
processor instructions (arithmetic and bitwise logical ones) as continuous func- 
tions on the space of 2-adic integers. Within this approach, a PRNG is consid- 
ered as a dynamical system and is studied by means of the non-Archimedean 
ergodic theory. 



1. Introduction 

Any computer program could be viewed as a composition of basic instructions 
which are the simplest instructions performed by a processor (CPU), i.e., as a 
composition of operators of a proper assembler. These operators depend on a 
type of CPU. Usually corresponding assemblers include some operators which are 
common for all CPUs independently of the type: these are arithmetic operators 
(addition, multiplication), bitwise logical operators (e.g., and, a bitwise conjunction; 
OR, a bitwise disjunction, XOR, a bitwise logical 'exclusive or', etc.), and some others 
(e.g., left and right shifts). Speaking formally, all these common operators are 
defined on the set B" of all n-bit words, where n is the length of machine words the 
CPU operates (which is sometimes called the CPU bitlength). However, all these 
common operators could be in a natural way extended to the set Z2 of all infinite 
strings of zeros and ones. The latter set Z2 could be endowed with a metric (called a 
2-adic metric) and so becomes a (non-Archimedean) metric space. Interestingly, all 
these common operators are continuous functions with respect to this metric. So, 
all computer programs build from these operators could be viewed as continuous 
2-adic functions; whence, their behaviour could be studied with the use of non- 
Archimedean analysis. In this paper, we apply this approach to construct and 
study pseudorandom generators. 

Pseudorandom (number) generator (a PRNG for short) is a computer program 
that produces a random-looking sequence of machine words, which could be also 
treated as a sequence of numbers in their base-2 expansions. Pseudorandom gener- 
ators are widely used in numerous applications, especially in simulation (e.g., quasi 
Monte Carlo) and cryptography (e.g., stream ciphers). A theory (better to say, 
theories) of PRNG is an important part of computer science, see e.g., [21, Chapter 
3]. Wc say 'theories of PRNG' since the very definition of pseudorandomness as- 
sumes that the produced sequence must pass certain class of statistical tests, so the 
definition of a PRNG depends on the choice of the tests. Actually the paper could 
be considered as a contribution to a non- Archimedean theory of PRNG. 
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As a rule, the weakest statistical property the sequence must necessarily satisfy 
to be considered pseudorandom is uniform distribution; that is, each term of the 
sequence must occur with the same frequency. For example, a well-known linear 
congrucntial generator (LCG) produces the recurrence sequence {xi}^Q over the 
set {0, 1, . . . , m — 1} according to the recurrence law x^+i = a + bxi (mod m), for 
some rational integers a, h. This sequence is uniformly distributed if and only if it 
is purely periodic and the length of its shortest period is equal to the modulus m. 
The latter condition implies that each number of {0, 1, . . . ,?7i — 1} occurs at the 
period exactly once and vice versa. We refer such sequences as strictly uniformly 
distributed. 

In other words, the LCG produces a uniformly distributed sequence if and only 
if the mapping x a + hx (mod m) of the residue ring X/rnL modulo m permutes 
residues {0, 1, . . . , m — 1} cyclically. We call the mapping x ^ a -\-hx oi the ring Z 
of rational integers transitive modulo m in this case. 

It is not difficult to sec that every composition / of arithmetic and bitwise logical 
operators, which defines a mapping of Z2 into Z2, induces a well defined mapping 
/ mod 2" of the residue ring Z/2"Z (that is, on the set B") into itself, for all 
n = 1, 2, . . .. It turns out that the mapping f mod 2" is transitive for all n if and 
only if the mapping f is ergodic (with respect to the Haar measure) on Z2, see 
e.g., [7] for a proof. Thus, to construct PRNGs (that produce strictly uniformly 
distributed sequences over B") out of arithmetic and bitwise logical operators we 
just need to construct the corresponding ergodic transformation of the space Z2. 

This approach was already utilized in [1, 2, 3, 4, 5, 6, 8, 9, 10, 23] in order to 
construct numerous non-linear congrucntial generators and to study their proper- 
ties. 

The paper is organized as follows: 

• In section 2 we demonstrate that actually a CPU works with approxima- 
tions of 2-adic integers with respect to 2-adic metric. 

• In section 3 we demonstrate that both arithmetic, bitwise logical and some 
other instructions of CPU could be extended to functions that are con- 
tinuous on the metric space Z2, as well as programs combined from these 
instructions; and that programs producing uniformly distributed sequences 
could be constructed as automata with output/state transition functions 
being, accordingly, ergodic/measure preserving transformations with re- 
spect to a normalized Haar measure, which is a natural probabilistic mea- 
sure on Z2. 

• In section 4 we develop various techniques that could be used to construct 
the above mentioned ergodic/measure preserving transformations, or to 
verify whether a given transformation is ergodic/measure preserving. This 
section could serve mainly as a survey; however, it contains new results as 
well. 

• In section 5 we study (with the use of the above mentioned techniques) 
two special types of fast PRNG: first one, defined by the recurrence law 
Xi+i = a + ^Y^i cij{xiXORbj) (mod 2"), and the second one, defined by 

the recurrence law Xi+i = a + X^JLo (^«); where Sj{x) = the 
j-th binary digit in the base-2 expansion of x. These generators are of 
special interest to stream ciphers since they arc utilized in some designs, 
see [8, 11]. 
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• In section 6 we study properties of a sequence produced by ergodic transfor- 
mation of the space Z2. We demonstrate, in particular, that this sequence 
satisfy D.Knuth's randomness criterion Ql, see [21, Section 3.5, Definition 

Qi]. 

• We conclude in section 7. 

The paper is partly based on the author's preprint [5], results of section 5 were 
announced in author's papers [1, 2] without proofs. 

Note that most results of the paper could be re-stated for arbitrary prime p, and 
not only for p = 2. 

Some p-adic arguments were exploited in studies of certain special types of 
PRNGs, see [19, 33, 35]. However, none of these works study PRNGs combined 
of basic computer instructions (both arithmetic and logical) as continuous 2-adic 
dynamical systems: In [19] only an output of a feedback-with-carry shift register 
is considered as a 2-adic integer (which actually is a rational, an irreducible frac- 
tion with odd denominator), in [33, 14] authors study properties of pseudorandom 
numbers obtained from round-off errors in calculations of 2-variate linear maps (ac- 
tually they deal with a transformation x 1— > [^x\ of the space Zp of p-adic integers, 
where [-J is an 'integer part' of ap-adic number), in [35] authors study a generator 
with recurrence law Xi-\.i = ^^^■^^~^'> on Z2, which is a 2-adie analog of a real logistic 
map. 

It worth noting here that there is a vast literature on PRNGs based on operations 
of finite fields and rings, see [15] and references therein. However, to our best 
knowledge none of these works use p-adic techniques. 

We note that the presented paper can also be considered as a contribution to 
the theory of p-adic dynamical systems (especially to the p-adic ergodic theory). 
The latter theory recently attracted significant interest due to its applications in 
mathematical physics, biology, genetics, cognitive sciences, etc., see e.g. [16, 18] 
and references therein. However, usually relevant works study dynamics on the 
whole field Qp of p-adic numbers, or even on its algebraic closure Cp, see the works 
just cited, as well as e.g., [12, 13]. In our paper, we study dynamical systems 
on Zp, which is the ring of integers of Qp, and simultaneously a ball of radius 1. 
Interestingly, our techniques developed primarily to study PRNGs was successfully 
applied to solve a problem (that was set up by A. Khrennikov) on ergodicity of 
perturbed monomial maps on p-adie spheres, see [7]. 

2. Basics 

A contemporary processor is word-oriented. That is, it works with words of 
zeroes and ones of a certain fixed length n (usually n = 8, 16, 32, 64). Each binary 
word z e B" of length n could be considered as a base-2 expansion of a number 
z g {0, 1, . . . , 2" — 1} and vice versa. We also can identify the set {0, 1, ... , 2" — 1} 
with residues modulo 2"; that is with elements of the residue ring Z/2"Z modulo 
2". Actually, arithmetic (numerical) instructions of a processor are just operations 
of the residue ring Z/2"Z: An n-bit word processor performing a single instruction 
of addition (or multiplication) of two n-bit numbers just deletes more significant 
digits of the sum (or of a product) of these numbers thus merely reducing the result 
modulo 2". Note that to calculate a sum of two integers (i.e., without reducing the 
result modulo 2") a 'standard' processor uses not a single instruction but invokes 
a program (that is a sequence of basic instructions). 



4 



VLADIMIR ANASHIN 



Another kind of basic instructions of a processor are bitwise logical operations: 
XOR, OR, AND, NOT, which are clear from their definitions. It worth noting only that 
the set B" with respect to xOR could be considered also as an n-dimensional vector 
space over a field Z/2Z = B. 

A third type of instructions could be called machine ones, since they depend on 
the processor. But usually they include such standard instructions as shifts (left 
and right) of an n-hit word. 

As an example we give formal definitions of some basic instructions (bitwise 
logical and machine), the definitions for the rest of these instructions could be 
obtained by an analogy. Let 

z = 5o{z) + (5i(z) • 2 + S2{z) ■ 2^ + ^3(2) ■ 2^ + ■ ■ ■ 

be a base-2 expansion for z e No = {0,1,2,...} (that is, Sj{z) € {0,1}). Then, 
according to the respective definitions of instructions, we have 

• yxORz = y (B z is a. bitwise addition modulo 2: Sj{yxORz) = Sj{y) + Sj{z) 
(mod 2); 

• y AND z is a bitwise multiplication modulo 2: 6j(jj and z) = Sj{y) ■ 6j(z) 
(mod 2); 

• NOT, a bitwise logical negation: Sj{NOT{z)) = 5j{z) + 1 (mod 2); 

• [|J , the integral part of |, is a shift towards less significant bits; 

• 2 • z is a shift towards more significant bits; 

• yANDz is masking of z with the mask y; 

• z (mod 2*^) = zand(2'^' — 1) is a reduction of z modulo 2'' 

Note that in literature © is used along with xOR for a bitwise 'exclusive or' operator, 
V along with or, and A (or 0) along with and. In the rest of this paper we use only 
OR for bitwise logical 'or', and for bitwise logical 'and', we use xOR for 'exclusive or'. 

We can make now the following important observation: Basic instructions of a 
processor are well defined functions on the set Nq (of non-negative rational integers) 
valuated in Ng. 

Moreover, all mentioned basic instructions, arithmetic, bitwise logical and ma- 
chine ones, are defined on the set Z2 of all 2-adic integers, which within the context 
of this paper could be thought of as a set of all countably infinite binary sequences 
with terms indexed by 0, 1,2,.. .. Sequences with only finite number of Is corre- 
spond to non-negative rational integers in their base-2 expansions, sequences with 
only finite number of Os correspond to negative rational integers, while eventually 
periodic sequences (that is, sequences that become periodic starting with a certain 
place) correspond to rational numbers represented by irreducible fractions with 
odd denominators: for instance, 3 = . . . 00011, —3 = . . . 11101, ^ = . . . 10101011, 
— i = . . . 1010101. So Sj{u) for u G Z2 is merely the j-th term of the corresponding 
sequence. 

Arithmetic operations (addition and multiplication) with these sequences could 
be defined via standard 'school-textbook' algorithms of addition and multiplication 
of natural numbers represented by base-2 expansions. Each term of a sequence that 
corresponds to the sum (respectively, to the product) of two given sequences could 
be calculated by these algorithms with a finite number of steps. 

Thus, Z2 is a commutative ring with respect to the so defined addition and 
multiplication. It is a metric space with respect to the metric (distance) d2{u,v) 
defined by the following rule: c?2(u,w) = ||u — u||2 ~ where n is the smallest 
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non-negative rational integer such that Sn{u) ^ Sn{v), and d2{u,v) = if no such 
n exists (i.e., if u = v). For instance ^2(3,^) = |. The function d2{u,0) = \\u\\2 
is a norm of a 2-adic integer u, and ord2 u ~ — log2 IIU2II2 is a 2-adic valuation of 
u. Note that for w G Ng the valuation ord2 u is merely the exponent of the highest 
power of 2 that divides u (thus, loosely speaking, ord2 ~ 00, so ||0j|2 = 0). 

Once the metric is defined, one defines notions of convergent sequences, limits, 
continuous functions on the metric space, even derivatives if the space is a commu- 
tative ring. For instance, with respect to the so defined metric on Z2 the following 
sequence tends to — 1 = ... Ill , 

1,3,7,15,31,. ..,2"-l,... -^-1, 



bitwise logical operators (such as XOR, and, ...) define continuous functions in two 
variables, the function f{x) = xxORa is differentiable everywhere on Z2 for every 
rational integer a: Its derivative is —1 for negative a, and 1 in the opposite case 
(see example 4.15 for other examples of this kind and more detailed calculations). 

Reduction modulo 2" of a 2-adic integer v, i.e., setting all terms of the corre- 
sponding sequence with indexes greater than n — 1 to zero (that is, taking the first 
n digits in the representation of v) is just an approximation of a 2-adic integer v 
by a rational integer with precision This approximation is an n-digit positive 
rational integer t;AND(2" — 1); the latter will be denoted also as v mod 2". 

Actually a processor works with approximations of 2-adic integers with respect to 
2-adic metric: When one tries to load a number whose base-2 expansion contains 
more than n significant bits into a registry of an n-processor, the processor just 
writes only n low order bits of the number in a registry thus reducing the number 
modulo 2". Thus, precision of the approximation is defined by the bitlength of the 
processor. 

All these considerations (after proper modifications) remain true for arbitrary 
prime p, and not only for p = 2, thus leading to the notion of a p-adic integer and 
to p-adic analysis. For formal introduction to p-adic analysis, exact notions and 
results see any relevant book, e.g. [22, 28]. 



3. Approach 

Arithmetic and bitwise logical operations are not independent: Some of them 
could be expressed via the others. For instance, for all u,v £ Z2 

NOTli = ltXOR(— 1); 
U -\- NOTU = —1; 
(1) UXORV ^ u + V — 2{uANDv); 

UORV = u + V — (uANDv); 
uORv = (uxORv) + (umov). 
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Proofs of identities (1) are just an exercise: For example, if a,P G {0: 1} then 

a XOR f3 = a + f3 — 2a(3 and a or f3^a + l3 — ajS. Hence: 



uxORv — ^ 2'((5i(u) xor5i{v)) — 

i=0 

oo 

oo oo oo 

^T{d.{u)) + J2 2'('5.(«)) - 2 • ^ T{S.{u)S,{v)) = 

i=0 i=0 i=0 

U + V — 2{u AND v). 

Proofs of the remaining identities can be made by analogy and thus are omitted. 
A shift towards more significant digits, as well as masking could be derived from 
the above operations: An m-step shift of u is 2™u; masking of u is uandA/, where 
M is an integer which base-2 expansion is a mask (i.e., a string of Os and Is). 

A common feature the above mentioned arithmetic, bitwise logical and machine 
operations all share is that they are, with the only exception of shifts towards 
less significant bits, compatible, that is, iu{u,v) = u!{ui,vi) (mod 2'') whenever 
both congruences u = ui (mod 2*") and v = vi (mod 2^) hold simultaneously 
(here uj stands for any of these operations, arithmetic, bitwise logical, or machine). 
The notion of a compatible mapping could be naturally generalized to mappings 
(Z/2'Z)* (Z/2'^Zy and Z| Z| of Cartesian products. 

We note that considerations we made above, after proper modifications hold for 
arbitrary prime p, and not only for p = 2. The case of odd prime p is important 
to produce pseudorandom sequences on symbols, N > 2. PRNGs that produce 
pseudorandom numbers in the range {0, 1, 2, . . . , A^ — 1} are often used in practice, 
and we are going to discuss them also. However, the case p = 2 will be sometimes 
exceptional in our considerations (this often happens in p-adic analysis), so from 
time to time we have to switch to the case p ~ 2 and then revert back to the general 
case. 

The compatibility property, being originally stated in algebraic terms, could be 
expressed in terms of p-adic analysis as well, for arbitrary prime p, and not only 
for p = 2. Namely this is not difficult to verify that the function f : Z* Z* 
is compatible if and only if it satisfies Lipschitz condition with coefficient 1 with 
respect to p-adic distance; e.g., for s = t = 1 the function F is compatible if and 
only if 

\\F{u)^F{v)\\p<\\u~v\\p 

for all u, u e Zp. 

Obviously, a composition of compatible mappings is a compatible mapping. We 
list now some important examples of compatible operators (Zp)* — > (Zp)*, p prime. 
Here are some of them that originate from arithmetic operations: 
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(2) 



multiplication, • : {u,v) i— *■ uv; 
addition, + : (it, v) i-^ u + v] 
subtraction, — : {u,v) t-^ u — v; 
exponentiation, 1^: (m, v) t-^ u '\ p v = {1 + puf] 
raising to negative powers, u |p {—n) = (1 + pu)' 



division, /p : uj pV ~ u ■ {v ]p (— 1)) 



u 



1 -\- pv 



The other part originates from digitwise logical operations of p- valued logic: 



Here 5j{z) {j = 0, 1, 2, . . .) stands for the j-th digit of z in its base-p expansion. For 
p = 2 equations (3) define and and XOR. 

In case p = 2 compatible mappings could be characterized in terms of Boolean 
functions. Namely, each transformation T: Z/2"Z — s- Z/2"Z of the residue ring 
Z/2"Z modulo 2" could be considered as an ensemble of Boolean functions 

(xo, • ■ • ,Xn-i), i = 0, l,2,...,n - 1, in n Boolean variables xo,---,X«-i by 
assuming Xi = Si{u), t^{xo, ■ ■ ■ , Xn-i) — Si{T{u)) for u running from to 2" — 1. 
The following easy proposition holds. 

Proposition 3.1. [I] A mapping T: Z/2"Z Z/2"Z {accordingly, a mapping 
T: Z2 Z2) is compatible if and only if each Boolean function [xqtXIi • • •) ^ 
6i(T{u)), i = 0, 1, 2, . . does not depend on the variables Xj ~ for j > i. 

Note. We use the term 'compatible' instead of the term 'conservative' of [1], since 
the latter term in numerous papers on algebraic systems has attained another mean- 
ing, see [26, p. 45]. Note that in the theory of Boolean functions mappings satis- 
fying conditions of the proposition are also known as triangular mappings, and as 
T-functions in cryptography. 

The proposition after proper restatement (in terms of functions of p- valued logic) 
also holds for odd prime p. For multivariate mappings proposition 3.1 holds also: 
a mapping T = (ti, . . . , is) : Zj — > Zj is compatible if and only if each Boolean 
function t^' {xifi,Xi.i, ■ ■ ■ ,Xr,o,XrS, ■ ■ ■) = 5i{tk{u, . . . ,Ur)) {i = 0,1,2,..., k = 
0, 1, . . . , s) does not depend on variables X£.j = ^jiw) for j > i {£ = 1,2, . . . , r). 

Now, given a compatible mapping T: Z2 Z2, one can define an induced 
mapping T mod 2" : Z/2"Z Z/2"Z assuming (T mod 2")(z) = T{z) mod 2" = 
(r(z)) and(2" — 1) for z = 0, 1, 2, . . . , 2" — 1. The induced mapping is obviously a 
compatible mapping of the ring Z/2"Z into itself. For odd prime p, as well as for 
multivariate case T : Zp ^ Zp an induced mapping T mod could be defined by 
analogy. 



(3) 



digitwise multiplication uQpv: 
Sj {uQpv) = 6j {u)5j {v) (mod p) ; 
digitwise addition u ©p d : 
5j{u®pv) = 5j{u) -\- 5j{v) (mod p); 
digitwise subtraction u Qp v : 
Sj{u Qp v) = Sj{u) — Sj{v) (mod p). 
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Definition 3.2. We call a compatible mapping T: Zp ^ bijective modulo p" if 
and only if the induced mapping T modp" is a permutation on we call T 

transitive modulo p", if and only if T mod is a permutation with a single cycle. 
We call a compatible mapping T : — > Z* balanced modulo p" if and only if the 
induced mapping Tmodp" maps (Z/p"Z)'^ onto (Z/p"Z)*, and each element of 
(Z/p"Z)* has the same number of preimages in (Z/p"Z)'\ 

Often a pseudorandom generator could be constructed as a finite automaton 
2t = (TV, M, f, F, uq) with a finite state set N, state transition function f : N ^ N, 
finite output alphabet M, output function F : N ~> M and an initial state (seed) 
Wo S The following sequence T = {uj = /■'(i*o)}j^o called a sequence of 
states: 

(uo) = K_^uo) . . .) (j = 1,2,.. .); f{uo) = ^/o. 

j times 

Thus, the generator produces the output sequence § over the set M out of the 
sequence of states: 

S = F{uo),Fif{uoj), Fifiuo)), FiPiuo)), . . . 

Mappings that are transitive modulo p" , as well as mappings that are balanced 
modulo could be used as building blocks of pseudorandom generators to provide 
both large period length and uniform distribution of output sequences. Namely, 
the following obvious proposition holds. 

Proposition 3.3. If the state transition function f of the automaton^ is transitive 
on the state set N, i.e., if f is a permutation with a single cycle of length \N\, if, 
further, \N\ is a multiple of \M\, and if the output function F : N ^ Ad is balanced 
{i.e., \F~^{s)\ = \F~^{t)\ for all s,t G M), then the output sequence & of the 
automaton 21 is purely periodic with period length \N\ (i.e., maximum possible), 
and each element of M occurs at the period the same number of times, exactly. 
That is, the output sequence § is strictly uniformly distributed. 

Note that in case N = B'^" and M = B'" one can use a transitive modulo 2*^" 
compatible state transition function /: Z/2'^"Z — > Z/2'^"Z and a balanced mod- 
ulo 2" output function F: (Z/2"Z)'= (Z/2"Z)' to produce a strictly uniformly 
distributed sequence. 

Now we describe connections between generators of strictly uniformly distributed 
sequences and p-adic ergodic theory. Recall that a dynamical system on a measur- 
able space S is a triple (§; /i; /), where § is a set endowed with a measure p., and 
/: § ^ S is a measurable function; that is, an /-preimage of any measurable subset 
is a measurable subset. These basic definitions from dynamical system theory, as 
well as the following ones, could be found at [24]; see also [17] as a comprehensive 
monograph on various aspects of dynamical systems theory. 

A trajectory of a dynamical system is a sequence 

Xo,Xl = f{xo), ...,Xi= f{xi-l) = f{xo), ■ . ■ 

of points of the space §, xq is called an initial point of the trajectory. If : § ^ T 
is a measurable mapping to some other measurable space T with a measure v (that 
is, if an i^-preimage of any z/-measurable subset of T is a /i-measurable subset of 
X), the sequence F{xo), F{xi), F{x2), ■ ■ ■ is called an observable. Note that the 
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trajectory formally looks like the sequence of states of a pseudorandom generator, 
whereas the observable resembles the output sequence. 

A mapping F: S ^ Y of a measurable space § into a measurable space Y endowed 
with probabilistic measure ^ and respectively, is said to be measure preserving 
(or, sometimes, equiprobable) whenever ^{F~^{S)) — iy{S) for each measurable 
subset S G Y. In case S = Y and fi = v, a measure preserving mapping F is said 
to be ergodic whenever for each measurable subset S such that F~^{S) ~ S holds 
either /i(S') = 1 or ^4(5) = 0. 

Recall that to define a measure fi on some set S we should assign non-negative 
real numbers to some subsets that are called elementary. All other measurable 
subsets are compositions of these elementary subsets with respect to countable 
unions, intersections, and complements. 

Elementary subsets in Zp are balls Bp-k{a) = a + p'^Zp of radii p~'' (in other 
words, co-scts with respect to ideal generated by p''). To each ball we assign a 
number iip{Bp-k{a)) = This way we define a probabilistic measure on the 
space Zp, /ip(Zp) = 1. The measure /ip is called a (normalized) Haar measure on 
Zp. The normalized Haar measure on could be defined by analogy. 

Note that the sequence {si}^^ of p-adic integers is uniformly distributed (with 
respect to the normalized Haar measure fip on Zp) if and only if it is uniformly 
distributed modulo p'^ for all k ~ 1,2, . . .; That is, for every a G Zjp^Z relative 
numbers of occurrences of a in the initial segment of length I in the sequence 
{si modp'^} of residues modulo p^ are asymptotically equal, i.e., lim£_oo = 
where A{a,t) = |{si = a (mod p^"): i < £}\, see [24] for details. Thus, strictly 
uniformly distributed sequences are uniformly distributed in the common sense of 
theory of distributions of sequences. Moreover, the following theorem (which was 
announced in [ ] and proved in [7]) holds. 

Theorem 3.1. For m = n = I, a compatible mapping F : Zp Z™ preserves the 
normalized Haar measure fip on Zp {resp., is ergodic with respect to fip) if and only 
if it is bijective {resp., transitive) modulo p^ for all k = 1,2,3,... 

For n > m, the mapping F preserves measure fip if and only if it induces a 
balanced mapping of (Z/p'^'Z)" onto (Z/p'^Z)™, for all fc = 1, 2, 3, . . .. 

This theorem in combination with proposition 3.3 implies in particular that 
whenever one chooses a compatible and ergodic mapping / : Z2 ^ Z2 as a state 
transition function of the automaton 21, and a compatible and measure-preserving 
mapping F : (Z/2"Z)'^ (Z/2"'Z)' as an output function of 21, both the sequence of 
states and output sequence of the automaton are uniformly distributed with respect 
to the Haar measure. This implies that reduction of these sequences modulo 2" 
results in strictly uniformly distributed sequences of binary words. Note also that 
reduction modulo 2" a computer performs automatically. 

Thus, theorem 3.1 gives us a way to construct generators of uniformly distributed 
sequences out of standard computer instructions. Now the problem is how to de- 
scribe these measure preserving (in particular, ergodic) mappings in the class of 
all compatible mappings. We start to develop some theory to answer the following 
questions: What compositions of basic instructions are measure preserving? are 
ergodic? Given a composition of basic instructions, is it measure preserving? is it 
ergodic? 
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4. Tools 

In this section wc introduce various techniques in order to construct measure 
preserving and/or ergodic mappings, as weU as to verify whether a given mapping 
is measure preserving or, respectively, ergodic. We are mainly focused on the class 
of compatible mappings. 

Main results of Subsection 4.1 are Theorem 4.1 and Theorem 4.3. With the use 
of these one can verify whether a given function is measure-preserving, or ergodic. 
Theorem 4.1 gives a general method yet demands a function must be represented 
via interpolation series. Theorem 4.3 gives an easier method for a narrower class of 
functions, which is, however, rather wide: e.g., it contains polynomials and rational 
functions. 

The main result of Subsection 4.2 is Theorem 4.4, which gives a general method 
how to construct a measure-preserving or ergodic fucntion out of arbitrary compat- 
ible function. 

Theorem 4.5 is the central point of Subsection 4.3. Being more of theoretical 
value, it has as a consequence a useful Proposition 4.10, which gives an easy method 
to construct new vast classes of ergodic functions out of given ergodic function. 

Subsection 4.4 deals with differentiation. In particular, this subsection introduces 
Calculus for functions build from basic computer operators. The main result of 
this subsection is Theorem 4.7 which gives conditions for a uniformly differentiable 
function to be ergodic. 

4.1. Interpolation series. The general characterization of compatible ergodic 
functions is given by the following theorem. 

Theorem 4.1. [1, 2] A function /: Z2 ^ Z2 is compatible if and only if it can be 
represented as 



/(x)=co+^c,2Li°g^'J •. (XGZ2); 
i=i 

The function f is compatible and measure preserving if and only if it can be repre- 
sented as 

00 ^ ^ 

/(x) =co + a; + ^c,2Li°g='J+ir) [x e Z2); 

The function f is compatible and ergodic if and only if it can be represented as 

fix) = l + x + J2 c,2L'°s^('+i)J+i p ^ 2^^)^ 



1=1 



where cq, Ci, C2 . . . G Z2. 
Here, as usual. 



, . x{x-l)---{x-i + l) . 
x\ \— ^ for I = 1,2 



, ^, . . ., 



1, for i = 0, 

and [aj is the integral part of a, i.e., the largest rational integer not exceeding a. 

Note. For odd prime p an analog of the statement of theorem 4.1 provides only 
sufficient conditions for ergodicity (resp., measure preservation) of /: namely, if 
{c,p) ~ 1, i.e., if c is a unit (=invertible element) of Zp, then the function f{x) — 
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c+a;+X]i^i Cip'-iogp(*+i)J+i defines a compatible and ergodic mapping of Zp onto 
itself, and the function f{x) ~ cq + c-x + X^i^i Cip^^°^p defines a compatible 

and measure preserving mapping of Zp onto itself (see [4]). 

Thus, in view of theorem 4.1 one can choose a state transition function to be a 
polynomial with rational (not necessarily integer) coefficients setting = for all 
but finite number of i. Note that to determine whether a given polynomial / with 
rational (and not necessarily integer) coefRcients is integer valued (that is, maps Zp 
into itself), compatible and ergodic, it is sufficient to determine whether it induces 
a permutation with a single cycle of 0(deg/) integral points. To be more exact, 
the following proposition holds. 

Proposition 4.1. [4] A polynomial f{x) € Qp[a;] over the field of p-adic numbers 
Qp is integer valued, compatible, and ergodic (resp., measure preserving) if and only 

f{z) modpLiogp(dog/)J+3^ 

where z runs through 0, 1, . . . ,p'-i°gp('i°g/)J+3 — 1^ is a compatible and transitive 
{resp., bijective) mapping of the residue rm;; Z/p'-'°gp('^''g-^)J+3^ onto itself. 

Although this is not very essential for further considerations, we note, however, 
that the series in the statement of theorem 4.1 and of the note thereafter are 
uniformly convergent with respect to p-adic distance. Thus the mapping / : Zp — > 
Zp is well defined and continuous with respect to p-adic distance, see [28, Chapter 
9]. 

Theorem 4.1 can be applied in design of exponential (the ones based on expo- 
nentiation) generators of uniformly distributed sequences. 

Example 4.2. For any odd a ~ I + 2m the function f{x) — ax + is transitive 
modulo 2", for all n = 1, 2, . . . 

Indeed, in view of theorem 4.1 the function / defines a compatible and ergodic 
transformation of Z2 since f{x) = (l+2TO)a;-|-(l-|-2m)'^ = a;+277i.T+^,^g m*2*(^) = 
1 + a; + Am{f) + "^*2' (f) and i > [logjli + 1)J + 1 for all i = 2, 3, 4, . . .. ' 

This generator could be of practical value since it uses not more than n + 1 
multiplications modulo 2" of n-bit numbers; of course, one should use calls to 
the look-up table a^^ mod 2", j ~ 1, 2, 3, . . . , n — 1. The latter table must be 
precomputed, corresponding calculations involve n — 1 multiplications modulo 2". 

Note. A similar argument shows that for every prime p and every a = 1 (mod p) 
the function f{x) = ax + a'^ defines a compatible and ergodic mapping of Zp onto 
itself. 

For polynomials with (rational or p-adic) integer coefficients theorem 4.1 may be 
restated in the following form. 

Proposition 4.3. [ 1 , 2] Represent a polynomial f{x) G Z,2[x] in a basis of descend- 
ing factorial powers 

X- = 1, x- = X, . . . ,x- = x{x — 1) • • • (a; — i + 1), . . . , 

that is, let 

d 

f{x) = ^ c, • x- 

i=0 
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for Co, ci, . . . , Crf e Z2. Then the polynomial f induces an ergodic (and, obviously, 
a compatible) mapping 0/ Z2 onto itself if and only if its coefficients co,ci,C2,C3 
satisfy the following congruences: 

Co =1 (mod 2), ci = 1 (mod 4), 

C2 =0 (mod 2), C3 = (mod 4). 

The polynomial f induces a measure preserving mapping if and only if 

ci = 1 (mod 2), C2 EE (mod 2), C3 ee (mod 2). 

Thus, to provide ergodicity of the polynomial / it is necessary and sufficient 
to fix 6 bits only, while the other bits of coefficients of / may be arbitrary. This 
guarantees transitivity of the state transition function z i— > f{z) mod 2" for each 
n, and hence, uniform distribution of the sequence of states. 

Proposition 4.3 implies that the polynomial f{x) e Z[a:] is ergodic (resp., measure 
preserving) if and only if it is transitive modulo 8 (resp., if and only if it is bijective 
modulo 4). A corresponding assertion holds in a general case, for arbitrary prime 
P- 

Theorem 4.2. [25] A polynomial f{x) € Zp[x] induces an ergodic transformation 
ofZp if and only if it is transitive modulo p^ forp 7^ 2,3, or modulo p'^ , forp ~ 2,3. 
The polynomial f{x) € Zp[a;] induces a measure preserving transformation ofLp if 
and only if it is bijective modulo p^ . 

Example 4.4. The mapping x ^ f{x) = x + 2x^ (mod 2'^^) (which is used in a 
cipher RC6, see [30]) is bijective, since it is bijective modulo 4: /(O) = (mod 4), 
/(I) = 3 (mod 4), /(2) = 2 (mod 4), /(3) = 1 (mod 4). Thus, the mapping 
X 1-^ f{x) = a; + 2x^ (mod 2") is bijective for all 71 = 1, 2, . . .. 

Hence, with the use of theorem 4.2 it is possible to construct transitive modulo 
g > 1 mappings for arbitrary natural q: One just takes f{z) = (\-\-z-\-qg{z)) mod (7, 
where g{x) G Z[a;] is an arbitrary polynomial, and g is a product of p'''' for all prime 
factors p of q, where S2 = sa = 3, and Sp ~ 2 for p 7^ 2, 3. For example, a polynomial 
f{x) = 201 + 201x + 200a;^'' is transitive modulo 10" for arbitrary n. 

In these considerations, the polynomial g{x) may be chosen, roughly speaking, 
'more or less at random', yet the output sequence will be uniformly distributed for 
any choice of g{x). This assertion can be generalized also: 

Proposition 4.5. [4] Let p be a prime, and let g{x) be an arbitrary composition of 
arithmetic operations (see (2) of section 3). Then the mapping z i—^ 1 + z +p'^g{z) 
(z g Zp) is ergodic. 

In fact, both propositions 4.3, 4.5 and theorem 4.2 are special cases of the fol- 
lowing general theorem. 

Theorem 4.3. [4] Let "Bp be a class of all functions defined by series of the form 
/(^) " Si^o"^i ' where co,ci,... are p-adic integers, and x-, i ~ 0,1,2,..., 
are descending factorial powers (see proposition 4.3). Then the function f e "Bp 
preserves measure if and only if it is bijective modulo p^ ; f is ergodic if and only if 
it is transitive modulo p^ {for p ^2, 3), or modulo p^ {for p e {2, 3}). 

Note. As it was shown in [4], the class !Bp contains all polynomial functions over Zp, 
as well as analytic (e.g., rational, entire) functions that are convergent everywhere 
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on Zp. Actually, every mapping that is a composition of arithmetic operators 
(2) belong to CBp; thus, every such mapping modulo could be induced by a 
polynomial with rational integer coefficients (sec the end of Section 4 in [4]). For 
instance, the mapping x i— > (3a; + 3^) mod 2" (which is transitive modulo 2", see 
example 4.2) could be induced by the polynomial 1 + x + 4(^) + X]r=2 = 

1 + 5x + J27=2 fr ■ ^~ — i^^^ note that Ci = ^ are 2-adic integers since the exponent 
of maximal power of 2 that is a factor of z! is exactly i — wt2 i, where wt2 « is 
a number of Is in the base-2 expansion of i (see e.g. [22, Chapter 1, Section 2, 
Exercise 12]); thus ||cj2 = 2""^'-' < 1, i.e. c, € Zs and so a mod 2" e Z. 

Theorem 4.3 implies that, for instance, the state transition function f(z) = 
(1 + z + C('z)^(l + C('Z)^(2:))"^^') rnod q is transitive modulo q for each natural q> 1 
and arbitrary polynomials u{x)^v{x) € Z[x], where (^{q) is a product of all prime 
factors of q. So one can choose as a state transition function not only polynomial 
functions, but also rational functions, as well as analytic ones. For instance, certain 
inversive generators (that exploit multiplicative inverses of residues modulo 2") 
could be considered. 

Example 4.6. The function f{x) = — 2x^1 — 2: is transitive modulo 2", for all 
ri= 1,2,3,.... 

Indeed, the function f{x) — (— 1 + 2x — 4a;^ + 82-'^ — •••)— x = — l + x — 
ix'^ + 8( - • • ) is analytic and is defined everywhere on Z2; thus f G "Bp. Now the 
conclusion follows from theorem 4.3 since by direct calculations it could be easily 
verified that the function f{x) = —1 + x — Ax^ (mod 8) is transitive modulo 8. 
Note that the mapping x 1— > f{x) mod 2" could be induced by the polynomial 
-1 + .T - 4x2 + 8x3 + • • • + (_i)"2"-ia:"~i. 

4.2. Combinations of operators. A transformation of the residue ring Z/gZ in- 
duced by a polynomial with rational integer coefficients is the only type of mapping 
that could be constructed as a composition of arithmetic operations, + and •. The 
class of all transitive modulo q mappings induced by polynomials with rational inte- 
ger coefficients is rather wide: For instance, for g = 2" it contains 2'^'^" ^ mappings 
(for exact value see [2-'3, Proposition 16]). However, this class could be widened 
significantly (up to a class of order 2^""""^ in case g = 2") by including bitwise 
logical operators into the composition. Actually, every compatible mapping could 
be constructed this way. 

Proposition 4.7. Let g he a compatible mapping 0/ Z2 onto itself. Then for each 
n = 1,2,... the mapping g = g mod 2" could be represented as a finite composition 
of arithmetic and bitwise logical operators (actually, as a composition of +, XOR, 
AND and shifts towards higher order bits, i.e., multiplications by powers of 2) . 

Proof. In view of proposition 3.1, one could represent g as 
9{x) = 7o(xo) + 27i(xo,Xi) + • ' • 

+ 2"-i7„_i(xo,...,Xn-i), 

where = di{g), Xi = ^ii^), « = 0, 1, . . . , n - 1. Since each 7i(xo, ■ ■ ■ ,Xi) is a 
Boolean function in Boolean variables xo, • ■ • , Xi? it could be expressed via finite 
number of XORS and ands of these variables XO: ■ ■ ■ ,Xi- Yet each variable Xj could 
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be expressed as Xj = ^ji^) = 2 -'(.t and(2-')); thus 
2'7,(xo, . . . ,xO = 7.(2*(a;AND(l)),2'-i(a;AND(2)), . . . 

2(a:AND(2'"^)),a;AND(2*)), 
and the conclusion follows. □ 

It turns out that there is an easy way to construct a measure preserving or ergodic 
mapping out of an arbitrary compatible mapping: 

Theorem 4.4. [ j] Let IS. be a difference operator, i.e., lS.g{x) = g{x + 1) — g{x) by 
definition. Let, further, p be a prime, let c be coprime withp, gcd(c,p) = 1, and let 
g: Tip ^ 1p be a compatible mapping. Then the mapping z i— > c+z+p^g{z) (z € Zp) 
is ergodic, and the mapping z ^-^ d + cz + pg{z), preserves measure for arbitrary d. 

Moreover, if p = 2, then the converse also holds: Each compatible and ergodic 
{respectively, each compatible and measure preserving) mapping z i-^ f{z) (z € Z2) 
can be represented as 

f{x) = 1 + a; + 2A.g(2;) 
{respectively as f{x) ~ d+x+2g{x)) for suitable d G Z2 and compatible g: Z2 ^ Z2. 

Note. The case p = 2 is the only case where the converse of the first assertion of 
the proposition 4.4 holds. 

Example 4.8. Proposition 4.4 immediately implies Theorem 2 of [20]: For any 
composition / of primitive functions, the mapping x 1-^ x + 2f{x) (mod 2") is 
invertible — just note that a composition of primitive functions is compatible (see 
[20] for the definition of primitive functions). □ 

Theorem 4.4 could be an important tool in design of pseudorandom generators, 
since it provides high flexibility during design. In fact, one may use nearly arbi- 
trary composition of arithmetic and bitwise logical operators to produce a strictly 
uniformly distributed sequence: Both for g{x) = xxor(2x + 1) and for 



g{x)= 1 + 2: 



3 4 \ 

X-'ORX^ \ 



4(5 + 6x5)^''X0R^M 

(note, both these functions g are compatible!) the sequence {xi} defined by the 
recurrence relation x^+i ~ {l + Xi + 2{g{xi + l) — g{xi))) mod 2" is strictly uniformly 
distributed in Z/2"Z, for all n = 1,2,3.. .. Actually, a designer could vary the func- 
tion g in a very wide scope without worsening prescribed values of some important 
statistical characteristics of output sequence. As a matter of fact, choosing proper 
arithmetic and bitwise logical operators the designer is restricted only by desirable 
performance since any compatible ergodic mapping could be produced this way. 

4.3. Boolean representation. In case p — 2 the two preceding subsections give 
two (equivalent) complete descriptions of the class of all compatible ergodic map- 
pings, namely, theorem 4.1 and theorem 4.4. They enable one to express any com- 
patible and transitive modulo 2" state transition function either as a polynomial 
of special kind over a field Q of rational numbers, or as a special composition of 
arithmetic and bitwise logical operations. Both these representations are suitable 
for programming, since they involve only standard machine instructions. However, 
we need one more representation, in a Boolean form (see proposition 3.1). Although 
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this representation is not very convenient for programming, it outlines some new 
methods for construction of ergodic transformations, see proposition 4.10 bcfow. 
Also, this representation could be of use while proving the crgodicity of some simple 
mappings, see e.g. example 4.9 below. The following theorem is just a restatement 
of a known (at least 30 years old) result from the theory of Boolean functions, the 
so-called bijectivity/transitivity criterion for triangle Boolean mappings. However, 
the latter is mathematical folklore, and thus it is somewhat difficult to attribute it, 
yet a reader can find a proof in, e.g., [1, Lemma 4.8]. 

Theorem 4.5. A mapping T: Z2 ^ Z2 is compatible and measure preserving if 
and only if for each i = 0, 1, . . . the algebraic normal form, ANF, of the Boolean 
function rf = 5i{T) in Boolean variables XOj • ■ • i Xi can be represented as 

tUxo, ■■■,Xt) =X'i + 'pJixo, ■ ■ ■,Xt-i), 
where ipf is an ANF of a Boolean function in Boolean variables xoj ■ • ■ jXi-i- The 
mapping T is compatible and ergodic if and only if, in addition to already stated 
conditions, the following conditions hold: Lp^ = 1, and each Boolean function ipf 
{i > 0) is of odd weight. 

Note. Recall that the algebraic normal form (ANF for short) of the Boolean func- 
tion 'ip{xoT ■ . ■ tX]) the representation of this function via © (addition modulo 
2, that is, logical 'exclusive or') and (multiplication modulo 2, that is, logical 
'and', or conjunction). In other words, the ANF of the Boolean function tl' is its 
representation in the form 

V'(xo, . . . , Xj-) = /? © /3o Xo © /9i Xi © ■ • ■ 

© 00,1 Xo Xi © ■ ■ • , 

where (3,(3o, . . . G {0, 1}. The ANF is sometimes called a Boolean polynomial. In 
the sequel in the ANF we write -I- instead of and • instead of when this does 
not lead to misunderstanding. 

Recall that weight of the Boolean function ip in {j + 1) variables is the number of 
(j + l)-bit words that satisfy tp; that is, weight of a Boolean function is cardinality 
of a truth set of the Boolean function. 

Note that weight of the Boolean function (p{xOj ■ ■ ■ iXi-i) *^ Boolean variables 
Xo, • ■ • , Xi~i orfrf if and only if degree deg ip of the Boolean function ip is exactly 
i, that is, if and only if the ANF of ip contains a monomial xo ' ' 'Xi-i- 

Example 4.9. With the use of theorem 4.5 it is possible to give a short proof of the 
main result of [20], namely, of Theorem 3 there: The mapping f{x) = x+ (x^ OrC) 
over n-bit words is invertible if and only if the least significant bit of C is 1. For 
n>Z it is a permutation with a single cycle if and only if both the least significant 
bit and the third least significant bit of C are 1 . 

Proof of theorem 3 of [20]. Recall that for x G Z2 and i = 0, 1, 2, . . . we de- 
note Xi = £ {0,1}; also we denote a = 5i{C). We will calculate ANF of 
the Boolean function 5i{x -{- {x^ OrC)) in variables xo, Xi) — We start with the 
following easy claims: 

• 5g{x^) = xo, ^ 0, ^2(2;^) = XoXi + XI, 

• Snix^) = Xn-iXo + V'ri(xo, • ■ • , Xn-2) for all n > 3, where ipn is a Boolean 
function in n — 1 Boolean variables xo, ■ • ■ , Xn-2- 
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The first of these clahTLS could be easily verified by direct calculations. To prove 
the second one represent x = a;„_i +2"^^s„_i for Xn-i = x mod 2"^^ and calculate 
x^ = + 2"-is„_i)2 = xl_^ + 2»s„_ix„_i + 22»-2s2_^ = ^2_^ ^ 2"x«-iXo 

(mod 2"+^) for n > 3 and note that x^_i depends only on xo: ■ ■ ■ , Xn-2- 

This gives 

(1) So{x'^ OR C) = Xo + Co + xoco 

(2) 5i{x^orC) = ci 

(3) (52 (x^ orC) = xoXi + Xi + C2 + C2X1 + C2X0X1 

(4) Sn{x'^ OR C) = Xn-lXO + Ipn + C„ + CnXn-lXO + Cni>n for 71 > 3 

From here it follows that if n > 3, then (5„(x^0rC) = A„(xoi • • ■ , Xn-i), and 
deg Xn < n — 1, since ipn depends only on xoi • ■ • > Xn-2- 

Now we successively calculate 7„ = Sn {x+{x^ OrC)) for 71 = 0, 1,2, . . .. We have 
So{x + {x^ OR C)) = Co + XoCo so necessarily Cq = 1 since otherwise / is not bijective 
modulo 2. Proceeding further with Co = 1 we obtain (5i(a;+(a:;^ OR C)) =ci+xo+X1j 
since xi is a carry. Then 52{x + [x"^ OrC)) = (ciXo + CiXi + XoXi) + (XoXi + Xi + 
C2 + C2X1 + C2X0X1) + X2 = cixo + CiXi + Xi + C2 + C2X1 + C2X0X1 + X2, here 
CiXo + CiXi + XoXi is a carry. From here in view of 4.5 we immediately deduce 
that C2 = 1 since otherwise / is not transitive modulo 8. Now for ti > 3 one has 
In = otn + A„ + Xn, wlicre a„ is a carry, and = q;„A„ + a„Xri + A„Xn- But 

if C2 = 1 then degas = deg(^i/ + X2M + X2i^) = 3, where ^l = cixo + ciXi + XoXi, 
^ = (xoXi + Xi + C2 + C2X1 + C2X0X1) = 0. This implies inductively in view 
of (iv) above that degQ;„+i = 71 + 1 and that 7^+1 = Xn+i + 61+1 (xo, • ■ • ,Xn), 
deg^„+i =71 + 1. So conditions of 4.5 are satisfied, thus finishing the proof of 
theorem 3 of [20]. □ 

There are some other applications of Theorem 4.5. 

Proposition 4.10. Let F: Zj^^ ^ Z2 be a compatible mapping such that for all 
zi, . . . , z„ S Z2 the mapping F(x, zi, . . . , Zn) : Z2 ^ Z2 is measure preserving. Then 
F{f{x), 2gi(x), . . . , 2gn{x)) preserves measure for all compatible gi, . . . , gn'. TLi —> 
Z2 and all compatible and measure preserving f: Z2 ^ Z2. Moreover, if f is ergodic 
then f{x + 4g{x)), f{xxOR{Ag{x))), f{x) + 4:g{x), and f{x)y.OR{Ag{x)) are ergodic 
for any compatible g: Z2 ^ Z2 

Proof. Since the function F is compatible, Si{F{uQ, ui, . . . , u„) does not depend on 
dj{uk) = Xj.k for j > i (see proposition 3.1 and a note thereafter). Consider ANF 
of the Boolean function 6i{F{uo, ui, . . . , Un)): 

Si{F{uo,ui, . . . ,u„)) = 

XO,i*j("0, Ui,..., U„) + $i(uo, Ml, ... , u„), 

where Boolean functions ^'i(Mo,ui, . . . ,Un) and $i(Mo,Mi, . . . ,Un) do not depend 
on xo.i! that is, they depend only on 

X0,0, • ■ • , X0,i-1, Xl,0, ■ • ■ , Xl,i, ■ ■ ■ , Xn,0, • ■ • , Xn,i- 

In view of theorem 4.5, ^'i = 1 since F{x, zi, . . . , z„) preserves measure for all 
zi, . . . , z„ g Z2. Moreover, then $i(/(a;), 2gi{x), . . . , 2gn{x)) does not depend on 
Xi = 5i{x) since 6j(2g{x)) does not depend on Xi for all j = 1, 2, . . . , 71. So in view 
of theorem 4.5, 6i{f{x)) = Xi + where ^i{f{x)) does not depend on Xi 
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since / preserves measure. Finally, 

(S.(F(/(x),25i(x),...,25„(a:))) = 

S,{f{x)) + (f>,(/(x), 2.gi(a;), . . . ,2g4x)) = 

+ Ufi^)) + 2gi(x), . . . , 2gn{x)) = x^ + 

where the Boolean function depends only on xoi ■ • ■ i Xi-i- This proves the first 
assertion of proposition 4.10 in view of theorem 4.5. 

We prove the second assertion along similar lines. For z € Z2 and i = 0, 1, 2, . . . 
let C,i = 5i{z). Thus one can represent 5i{zxORAg{z)) and 5i{z + 45(2)) via ANFs 
in Boolean variables Co, Cii ■ • ■ j Ci- Note that 5i{zxOR4:g{z)) ~ Q + Ai(z), where 
\i{z) = for i = 0, 1 and degAi(z) < i — 1 for i > 1, since for i > 1 the Boolean 
function \i{z) depends only on ^o, • ■ • , Ci-2- 

Further, we claim that 5i{z + Ag{z)) ~ Si{z) + fJ-i{z), where fJ.i{z) ~ fJ-fiz) is 
for i = 0,1 and degiii{z) < i — 1 for i > 1. Indeed, ^i{z) ~ Xi{z) + ai{z), 
where the Boolean function Q!,;(z) is a carry. Yet ai{z) ~ for i ~ 0,1,2, and 
ai{z) = Ci-i^i-i{z) + Ci-i"t-i(-2) + Ai_i(z)a,_i(2;) for i > 3, and ai{z) de- 
pends only on Coi ■ • ■ iCi-i since ai{z) is a carry. However, dega3(z) = 2 and if 
degai_i(z) < i ~ 2 then dcg5i-i{z)ai-i{z) < i — 1, deg Ai_i(z)Q:i_i(z) < i — 1, 
and degCj;_iAi_i(z) < i — 1 since ai-i{z) depends only on Co, ■ ■ ■ , 0-2 and Xi-i{z) 
depends only on Co, ■ • • , Ci-3- Thus degai(^) < * — 1 and hence deg Hi(z) < i — 1. 

Now, since f{x) is ergodic, (5,;(/(.t)) = Xi + 6(2;), where the Boolean function 

depends only on xo, ■ • ■ iXi-i and, additionally, fo = 1, and deg^i = i for i > 
(see theorem 4.5); i.e. ^i{x) = XoXi'''Xi-i + ^1(2;), where deg'di{x) < i ~ I 
for i > 0. Hence, for * e {+,xor} one has 6i{f{x * 4p(a;))) = Si{x * 45(2;)) + 
So{x * 4:g{x))Si{x * 4:g{x)) ■ ■ ■ Si-i{x * 4:g{x)) + di{x * 4:g{x)); thus 5i{f{x * Ag{x))) = 

+ Xo • • ■ Xi-i + I3*{x), where degl3l{x) < i - 1 for i > 0, and 5Q{f{x * ^g{x)) = 
5[){x * 45(2;)) + 1 = xo + 1- Finally, f{x * 4(7(x)) for * e {+, xor} is ergodic in view 
of theorem 4.5. 

In a similar manner it could be demonstrated that f{x) * 'ig{x) is ergodic for 
* e { + ,xor}: 6i{f{x)-¥Ag{x)) ~ Si{f{x)) for i = 0,1 and thus satisfy the conditions 
of theorem 4.5. For i > 1 one has xor 4g(.T)) = Xi + 6(2;) + ^1-2(5(3;)); 

but ^i_2(g(a;)) does not depend on Xi-i,Xi- Thus the Boolean function ^i{x) + 
Si-2{g{x)) in variables xo, ■ • ■ ,Xi-i is of odd weight, since £,i{x) is of odd weight, 
thus proving that f{x) xOR4:g{x) is ergodic. 

Now represent g{x) = g{f~^{f{x))) = h{f{x)), where is the inverse map- 
ping for /. Clearly, f~^(x) is well defined since the mapping /: Z2 ^ Z2 is bi- 
jcctivc; moreover f~^{x) is compatible and ergodic. Finally Si{f(x) + 4g(x)) = 
^i{f{^)) + l-^i{f{x)), where the ANF of the Boolean function /i^(a;) = l^-iix) in 
Boolean variables xo, • ■ • , Xi-i does not contain a monomial xo ' ' ' Xi-i (see the 
claim above). This implies that the ANF of the Boolean function ii^{f{x)) in 
Boolean variables xo, ■ • ■ , Xi-i does not contain a monomial xo ■ ■ ■ Xi-i either, since 
Sjifi^)) = X]+^j{x) andCi(a;) depend only onxo, ■ • ■ ,Xj-i for j = 2,3, . . .. Hence, 
Si{f{x) + 4:g{x)) = Xi+ + t^tifix)) and the Boolean function + f4if{^)) 
in Boolean variables xo, ■ • ■ , Xs-i is of odd weight. This finishes the proof in view 
of theorem 4.5. □ 
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Example 4.11. With the use of 4.10 it is possible to construct very fast generators 
a^i+i = f{xi) mod 2" that are transitive modulo 2". For instance, take 

f{x) ^ (. ..((((.T + Co)xOR(io) hc,„)xORrf,„, 

where cq = 1 (mod 2), and the rest of Ci,di are modulo 4. In a general situation 
these functions / (for arbitrary Ci,di) were studied in [23], where it was proved that 
/ is ergodic if and only if it is transitive modulo 4. 

4.4. Uniform differentiability. In previous subsections we consider some meth- 
ods that could be used to verify whether a given transformation / of the space Z2 is 
measure preserving or ergodic. One way is to represent / by interpolation series and 
apply theorem 4.1, the second way is to represent / in a special form described by 
theorem 4.4, the third way is to use Boolean representation and theorem 4.5. These 
methods are universal meaning they could be applied to any compatible function 
/. However, they work only in a univariate case. 

In this subsection we present another method that works for multivariate func- 
tions also, but is not universal any more; the method could be applied only to 
uniformly differentiable mappings and some mappings that are close to these. The 
class of these mappings is rather wide, though. 

Now we recall a generalized version of the main notion of Calculus, a derivative 
modulo , which was originally introduced in [1, 2, 4]. By the definition, for points 
a = (fli, . . . , a„) and b = (61, . . . , 5„) of Zp the congruence a = b (mod p'*) means 
that \\ai — bi\\p < p^^ (or, the same, that Oi = bi + Cip^ for suitable ci € Zp, 
i = 1, 2, . . . , s); that is ||a — bj|p < 

Definition 4.12. A function 

F=(/i,...,/„,):Z^^Z™ 

is said to be differentiable modulo p^ at the point u ~ (ui, . . . , u„) G Zp if there 
exists a positive integer rational N and an 71 x m matrix ^"^(u) over Qp (called 
the Jacobi matrix modulo p^ of the function F at the point u) such that for every 
positive rational integer K > N and every h = {hi, . . . , /i„) e Zp the congruence 

(4) F(u + h) = F(u) + hF^(u) (mod /+^) 

holds whenever ||h||p < p~^ . In case rn = 1 the Jacobi matrix modulo p'^ is called 
a differential modulo p^ . In case m = n a determinant of the Jacobi matrix modulo 
p^ is called a Jacobian modulo p^ . Entries of the Jacobi matrix modulo p^ are 
called partial derivatives modulo p^ of the function F at the point u. 

A partial derivative (respectively, a differential) modulo p^ is sometimes denoted 
^ %i'xf (respectively, as dkF{u) = 

Since the notion of function that is differentiable modulo p'' is of high impor- 
tance for the theory that follows, we discuss this notion in detail. Compared to 
differentiability, the differentiability modulo p'^ is a weaker restriction. Speaking 
loosely, in a univariate case (m ~ n = I), definition 4.12 just yields that 

F{u + h)-F{u) ^ 

h ^'^^^^ 

Note that whenever « ('approximately') stands for an ^arbitrarily high precision' 
one obtains a common definition of differentiability; however, if « stands for a 
'precision that is not worse than p^'^', one obtains the differentiability modulo p''. 
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We note that the notion of a derivative modulo have no direct analog in 
the classical Calculus: A derivative with a precision up to the fc-th digit after the 
point, being often used in common speech, is meaningless from the rigorous point 
of view since there is no distinguished base in real analysis. However, this notion 
is meaningful in p-adic analysis since there is a distinguished base; namely, base-p. 

Inp-adic analysis, it is obvious that whenever a function is differentiable (and its 
derivative is a p-adic integer), it is differentiable modulo p'^ for all k = 1,2, . . ., and 
in this case the derivative modulo p'' is just a reduction of a derivative modulo p'' 
(note that according to definition 4.12 partial derivatives modulo p'^ are determined 
up to a summand that is modulo p''). 

In cases when all partial derivatives modulo p'' at all points of are p-adic 
integers, we say that the function F has integer valued derivative modulo p'^; in 
these cases we can associate to each partial derivative modulo p*^ a unique element 
of the ring Z/p'^Z; a Jacobi matrix modulo p'' at each point u e Z^ thus can be 
considered as a matrix over a ring Z/p^Z. It turns out that this is exactly the case 
for a compatible function F. Namely, the following proposition holds. 

Proposition 4.13. [I, 2] Let a compatible function F = (/i, . . . ,fm)'- Z^ Z™ 
he uniformly differentiable modulo p^ at the point u £ Z^. Then || ||p ^ 1; 

i.e., F has integer valued derivatives modulo p^ . 

For functions with integer valued derivatives modulo p'^ the 'rules of differenti- 
ation modulo p*^' have the same (up to congruence modulo p'' instead of equality) 
form as for usual differentiation. For instance, if both functions G: Zp Z^ 
and F: Zp — *■ Z™ are differentiable modulo p'' at the points, respectively, v = 
{vi, . . . ,Vs) and u = G(v), and their partial derivatives modulo p'^ at these points 
are p-adic integers, then a composition F o G: ^ Z™ of these functions is uni- 
formly differentiable modulo p'^ at the point v, all its partial derivatives modulo p'' 
at this point are p-adic integers, and {F o G')'^(v) = G5,(v)i^^(u) (mod p*^). 

Definition 4.14. A function F-.Z^^ Z™ is said to be uniformly differentiable 
modulo p^ on Z^ if and only if there exists € N such that congruence (4) holds 
simultaneously for all u S Z^ as soon as \\hi\\p < p~^ , {i ~ 1,2, . . . , n). The least 
of these K is denoted Nk{F). 

Recall that all partial derivatives modulo p^ of a uniformly differentiable modulo 
p^ function F are periodic functions with period p^^'^), see [1, Proposition 2.12]. 
Thus, each partial derivative modulo p^ could be considered as a function defined on 
(and valuated in) the residue ring Z/p^'^^^^Z. Moreover, if a continuation F of the 
function F = (/i, . . . , /„) : Nq N™ to the space Z^ is a uniformly differentiable 
modulo p'' function on Z^, then one can simultaneously continue the function F 
together with all its (partial) derivatives modulo p*^ to the whole space Zp. Conse- 
quently, we may study if necessary (partial) derivatives modulo p'^ of the function 
F instead of those of F and vise versa. For example, a partial derivative ^''J' '■"^ 

modulo p*^ vanishes modulo p^ at no point of Z" (that is, ^ (mod p*"') 

for all u G Zp"', or, the same || ||p > P~'^ everywhere on Zp) if and only if 

^ (mod p'^O for all u £ {0, 1, . . . ,p^'=(^) - 1}. 
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In case p = 2, differentiation modulo p*^ could naturally be implemented as a 
computer program since this differentiation just implies (for a univariate F) estima- 
tion of the fraction ^''""'"^h ^^^^ with a fc-bit precision, i.e., evaluation of the first 
n low order bits of the base-2 expansion of the corresponding number. To calculate 
a derivative of, for instance, a state transition function, which is a composition of 
basic instructions of CPU (that is, of 'elementary' functions, see proposition 4.7) 
one needs to know derivatives of these 'elementary' functions, such as arithmetic 
and bitwise logical operations. Here we briefly introduce a p-adic analog of a 'table 
of derivatives' of a classical Calculus. 

Example 4.15. Derivatives of bitwise logical operations. 

(1) a function f{x) = xandc is uniformly differentiable on Z2 for any c € Z; 
f'{x) = for c>0, and f'{x) = I for c < Q, since f{x + 2"s) = /(x), 
and f{x + 2"s) = f {x) + 2".s for n > l{\c\), where l{\c\) is the bit length 
of absolute value of c (mind that for c > the 2-adic representation of — c 
starts with 2''-'^^ — c in less significant bits followed by. ..11: — l = ...lll, 
-3 = . . . 11101, etc.). 

(2) a function f{x) = xxORc is uniformly differentiable on Z2 for any c G Z,' 
f'{x) = 1 for c > 0, and f'{x) = — 1 for c < 0. This immediately follows 
from (i) since uxORv = u + v — 2(xandu) (see (1) in section 3); thus 
(.TXORc)' = x' + c' - 2(xANDc)' = 1 + 2 • (0, for c > 0; or - 1, for c < 0). 

(3) in the same manner it could be shown that functions {x mod 2"), NOT(a;) 
and {x OR c) for c G Z are uniformly differentiable on Z2 , and {x mod 2")' = 
0, (not a;)' = -1, (xORc)' = 1 for c>0, (xORc)' = for c <0. 

(4) a function f{x,y) = xxORy is not uniformly differentiable on (as a 
bivariate function), yet it is uniformly differentiable modulo 2 on Z|; from 
(ii) it follows that its partial derivatives modulo 2 are 1 everywhere on Z^. 

Here is how it works altogether. 

Examples. A function f{x) = x + (x?' OR 5) is uniformly differentiable on Z2, and 

f'{x) = 1 + 22; • (.T OR 5)' = 1 + 2x. 

A function 

F{x,y) = {f{x,y),g{x,y)) = {xxor2{x ANoy), {y + 3x^)xORx) 
is uniformly differentiable modulo 2 as a bivariate function, and Ni{F) = 1; namely 

F{x + 2'H,y + 2"'s) = 

i^(x,2/) + (2"t,2™s). (^J '^ + ^^ (mod2'=+i) 

for all m,n > 1 (here k = minjm, rt}). The matrix ^ 1^ ~ F[{x,y) is a 

Jacobi matrix modulo 2 of F] here is how we calculate partial derivatives modulo 2: 
for instance ^^g^^-^^ = ai(y+-ix^) ^ dijuXORx) 1 , ai£ . di(uXORx) 1 ^ 

' d\x d\x d\u \u—y+3x^ d\x dix \u—y+3x^ 

9x^ •l + l- l = a- + l (mod 2). Note that a partial derivative modulo 2 of the 
function 2(a;ANDy) is always modulo 2 because of the multiplier 2: the function 
xANDy is not differentiable modulo 2 as bivariate function, yet 2(xANDy) is. So the 
Jacobian of the function F is deti^{ = 1 (mod 2). 



p-ADIC ERGODICITY AND PSEUDORANDOMNESS 



21 



Now let F = (/i, . . . , fm) ■ — ^ and /: ^ Zp be compatible functions 
that are uniformly differentiable on Zp modulo p. This is a relatively weak restric- 
tion since all uniformly differentiable on functions, as well as functions that arc 
uniformly differentiable on Z^ modulo p'^ for some k > 1, are uniformly differen- 
tiable on Z" modulo p; note that 4^ = = f*"^^ (mod p*^^^). Moreover, all 
values of all partial derivatives modulo p'^ (and thus, modulo p) of and / are 
p-adic integers everywhere on Z^ (see proposition 4.13), so to calculate these values 
one can use the techniques considered above. 

Theorem 4.6. [1, 2, 4] A function F: Zp Z™ is measure preserving whenever 
it is balanced modulo p^ for some k > Ni{F) and the rank of its Jacobi matrix 
F[{u) modulo p is exactly m at all points u = (ui, . . . £ (Z/p'^Z)". In case 
m = n these conditions are also necessary, i.e., the function F preserves measure 
if and only if it is bijective modulo p^ for some k > Ni{F) and det(_F'j'(u)) ^ 
(mod p) for all u = (iti,...,u„) G (Z/p'^Z)". Moreover, in the considered case 
these conditions imply that F preserves measure if and only if it is bijective modulo 

That is, if the mapping u i-^ F{u) mod p^^'-^^ is balanced, and if the rank of 
the Jacobi matrix F{{u) modulo p is exactly m at all points u G (Z/p^^^^^Z)" 
then each mapping u ^ F(u) mod p'' of (Z/p'"Z)" onto (Z/p''Z)™ (r = 1,2,3,.. .) 
is balanced (i.e., each point u G (Z/p'Z)™ has the same number of preimagcs in 
(Z/p''Z)™, see definition 3.2). 

Example 4.16. We consider as examples some mappings that were studied in [20] 
to demonstrate how the techniques presented above work. 

(1) A mapping 



{x,y) ^ F{x,y) = 

(xxOR2(xANDy), (y + 3x''^)xORa;) mod 2*" 

of {ZlTTZf onto [Z/T'Zf is bijective for all r ^1,2,... 

Indeed, the function F is bijective modulo 2^^^^^ = 2 (direct verification) 
and det(F{ (u)) = 1 (mod 2) for aU u G (Z/2Z)2 (see the table of derivatives 
in example 4.15 and examples thereafter). 
(2) The following mappings of Z/2''Z onto Z/2''Z are bijective for all r = 
1,2,...: 

X 1-^ {x + 2x'^) mod 2^", 

X ^ {x + (.T^ OR 1)) mod 2'', 

x^ {x xor{x^ or 1)) mod 2'' 

Indeed, all three mappings are uniformly differentiable modulo 2, and 
A^i = 1 for all of them. So it sufhces to prove that all three mappings 
are bijective modulo 2, i.e., as mappings of the residue ring Z/2Z modulo 
2 onto itself (this could be checked by direct calculations), and that their 
derivatives modulo 2 vanish at no point of Z/2. The latter also holds, since 



22 



VLADIMIR ANASHIN 



the derivatives are, respectively, 



l + 2x-l 



l + 2x-l 



1 + Ax 



1 (mod 2), 
1 (mod 2), 
1 (mod 2), 



since (x^orI)' ~ 2x ■ 1 = 1 (mod 2), and {xxorC)[ = 1 (mod 2), see 
example 4.15. 

(3) The following closely related variants of the previous mappings o/Z/2'" onto 
Z/2'' are not bijective for all r = 1,2, .. .: 



since they arc compatible but not bijective modulo 2. 

(4) (see [2!)], also [20, Theorem 1]) Let P{x) = ao + aix + • • • + adx'^ he a poly- 
nomial with integral coefficients. Then P{x) is a permutation polynomial 
(i.e., is bijective) modulo 2" , n > 1 if and only if ai is odd, (02 + 04 + • • • ) 
is even, and (03 + 05 + • ■ ■ ) is even. 

In view of theorem 4.6 we need to verify whether the two conditions 
hold: first, whether P is bijective modulo 2. and second, whether P'{z) = 1 
(mod 2) for z E {0,1}. The first condition gives that P{0) — oq and 
P(l) = flo + fli + 02 + • ■ ■ fld must be distinct modulo 2; hence ai + 02 + 
■ ■ ■ Od ^ 1 (mod 2). The second condition implies that P'{0) = oi = 1 
(mod 2), P'(l) = fli + 03 + 05 + • • • = 1 (mod 2). Now combining all this 
together we get 02 + 03 + ■■■ ad = (mod 2) and 03 + 05 + • • • = (mod 2) , 
hence 02 + 04 + • • • = (mod 2). 

(5) As a bonus, we can use exactly the same proof to get exactly the same 
characterization of bijective modulo 2^ (r = 1,2, . . .) mappings of the form 
X I— > P{x) = flo XOR aia; XOR • • • XOR a^x'' mod 2'' since uxorv is uniformly 
differentiable modulo 2 as a bivariate function, and its derivative modulo 2 
is exactly the same as the derivative oi u + v, and besides, uxorv = u + v 
(mod 2). 

Note that in general theorem 4.6 could be applied to a class of functions that is 
narrower than the class of all compatible functions. However, it turns out that for 
p = 2 this is not the case. Namely, the following proposition holds, which in fact is 
just a restatement of a corresponding assertion of theorem 4.5. 

Proposition 4.17. [1, 2] // a compatible function g: Z2 ^ Z2 preserves measure 
then it is uniformly differentiable modulo 2 and has integer derivative modulo 2, 
which is always 1 modulo 2. 

The techniques introduced above could also be applied to characterize ergodic 
functions. 

Theorem 4.7. [1, 2, 4] Let a compatible function /: Zp — > Zp be uniformly differ- 
entiable modulo . Then f is ergodic if and only if it is transitive modulo 
when p is an odd prime, or modulo 2^^^^^^"^ when p = 2. 



X t-^ 



X 1-^ 



X t-^ 



{x + x'^) mod 2'', 

(x + {x^ AND 1)) mod 2*", 

{x + (x^ORl)) mod 2"^, 
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Example 4.18. In [20] there is stated that "...neither the invertibihty nor the cycle 
structure of x+{x'^ or 5) could be determined by his (i.e., mine — V.A.) techniques." 
See however how it could be immediately done with the use of Theorem 4.7: The 
function f{x) = x + (x^ OR 5) is uniformly diffcrentiable on Z2, thus, it is uniformly 
differentiablc modulo 4 (see example 4.15 and an example thereafter), and N2{f) = 
3. Now to prove that / is crgodic, in view of theorem 4.7 it suffices to demonstrate 
that / induces a permutation with a single cycle on Z/32Z. Direct calculations show 
that a string 0, /(O) mod 32, /^(O) mod 32 = /(/(O)) mod 32, ... , f^{0) mod 32 is 
a permutation of a string 0, 1, 2, ... , 31, thus ending the proof. 

5. Two FAST GENERATORS 

In subsection 4.1 we described how to use interpolation series to verify whether 
a given transformation / of the space Z2 is ergodic (or preserves measure): one 
must represent / as interpolation series and apply theorem 4.1. Generally speak- 
ing, it is not an easy task to represent an arbitrary continuous transformation / 
as interpolation series (although such representation always exists). Nevertheless, 
the technique works. Here we apply this technique to establish ergodicity/measure 
preservation conditions for two special transformations that are used in crypto- 
graphic pseudorandom generators. Both these generators are fast: The first of 
them uses only additions, xor's and multiplications by constants, the second uses 
additions of entries of a certain look-up table in accordance with bits of a variable. 

Theorem 5.1. The following is true: 

1° The function / : Z2 ^ Z2 of the form 

n 

f{x) = a + y^Q»(xx0R6,), 

where a,ai,bi S Z2, i — 1,2,3,..., preserves measure (resp., is ergodic) if and 
only if it is bijective (resp., transitive) modulo 2 (resp., modulo 4)- 
2° The function / : Z2 ^ Z2 of the form 

00 

f{x) = a + ^aidi{x), 

i=0 

where a, € Z2, i = 0, 1, 2, . . is compatible and ergodic if and only if the following 
conditions hold simultaneously: 

a = 1 (mod 2); 
ao = 1 (mod 4); 

ll«.||2 = 2-\ 

for i ~ l,2,S, . . .. The function f is compatible and measure preserving if and only 

!|a.!l2 = 2'* (i = 0,1,2,3,...). 
Proof of theorem 5.1. Consider interpolation series for 5i{x), z — 0, 1, 2, . . .: 

oo 
i=0 

To apply theorem 4.1 we must estimate norms of coefficients (7i{j) first. To do this, 
we need several lemmas. 
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Lemma 5.1. For all i, j = 1,2,3, .. . the following equations hold 

<J^{0) - 0; 

k=l 



k2' - 1 



Proof of lemma 5.1. As (5,(0) = for all i = 0,1,2,..., then ct,(0) = 0. For all 
k ~ {),\,2, . . . we have: 

From here, with the use of formulae which express a coefficient of interpolation 
series of a p-adic function via the values of this function in rational integer points 
(see e.g. [28, Chapter 9, Section 2]), we obtain that 



^.(j) = (-i)-''E(-i)''^^w 

fe=0 

Hence, in view of the definition of the function Si{j), 



f — 1 7. — /n^ T\ni ^ / 



.•s=l A;=(2s-1)2» 

From here, using the well-known identity (which can be easily proved) 

(5) E(-i)'^(fc) = (-ir(::i) + (-ir^""' 

we conclude that 



J - 1 \_( .? - 1 
(2s-l)2»-iy V2s-2'-l 



^.(J) = (-1)^E 

s=l 

This proves the lemma since the latter identity implies: 

'(-1)^+12^-1, ifi==0; 
(-lP+'Er=i(-l)'(/27-i) otherwise 



□ 



Lemma 5.2. For all m,t,r ~ 0,1,2, .. . that satisfy simultaneously two conditions 
< t < 2™ — 1 and m > r the following congruence holds: 

In particular, for all m, s, j G N that satisfy simultaneously two conditions m > 
s > 1 and j < 2"^^" — 1 the following congruence holds: 

2.,:i)-(-lW( ) (mod 2—+^). 
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Proof of lemma 5. 2. Firstly, we recall that every s G Z2 has a unique representation 
of the form s = 2°'^'^^ ^s, where s is the unit of Z2 (i.e., s is odd. meaning 5q{s) = 
1) and henceforth has a multiplicative inverse in Z2. In these denotations, 
assuming M — {i : i = 1, 2, . . . ,t; ord2 i > r} and M' a complement of M to 
{1,2,..., t}, we obtain that 



The condition ord2 i > r for i ~ 1, 2, . . . , t holds if and only if i = j2'' for j = 
1,2,..., [2-''tJ . This means that | M' |= t - [2-''tJ . So, the product in the right 
hand part of the congruence mentioned above is equal to 

[2-tJ 



This proves the first part of the statement. The second part now becomes obvious, 
since 

/2'" - 2\ _ 2" - 2''j /2'" - 1\ 
[2s j _ 1 j - 2™-l lv2^J - V 



□ 



^ /om— ord2 ? \ 

M—^ — 



/2"' — 1 \ 



Lemma 5.3. For s, fc 1, 2, 3, . . ., the following holds: 

(1) |k,(fc)||2 <2-Li°g.fcJ+-^-i, ^/fc^2^2-+^■ 

(2) ||a.(2^)||2 = l, ||a,(2^+i)||2 = i; 

(3) ||a3(2™ - 1)||2 < 2-™+«-i, z/771 > s > 1. 

Proof of lemma 5.3. Represent k as k = 2"' + 1, where m = [log2 fcj , < t < 2™. 
We may assume that m > s since otherwise (Ts(fc) = in view of lemma 5.1. 
Further, lemma 5.1 implies that 

(6) -«(2"+^) = (-ir^E(-l)H 2.^-1 ■ 

With the use of the well-known identity (which can be easily proved) 

]2{k){n-k) = ( n )' 
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we obtain that 



- 1 + A _ ^ /t\ / 2™ - 1 
V 2^J- - 1 j " UJ V2^J- - A: - 1 



EE 

n=0 r=0 



2-'n + r/ V2''(j - n - 1) + (2"' - r - 1) 



Here, as usual, we assume that (^) = for b < 0. In view of lemma 5.2, equation 

(7) imphes that 

(8) EE(-i)"^''^'' o/ 



Ti=0 r=0 



2'*n + r y \j — n — 1 



2™ - 1 + t 
2-j - 1 



(mod 2 



Now (6) in view of (8) implies that 
(9) <Js{2"-' + t) = 

n=0 r=0 ^ / j=l ^-^ 

-,2'"- = -l/ i\t+l. 



2' -\-iy+'x 

oo 2°-l y 



ri=0 r=0 



Now applying identity (5) and assuming that t ^ 0, in view of lemma 5.1 we 
conclude that 



(-i)'"^EE(-i)""1.J^J = (-i)*"^x 

oo 

E(-i) 



,2-'n + r 
n=0 r=o ^ 

t \ / / t-1 ^ *-i 



2(-ir^E(-ir(2;;_\)-2a.W. 

n=l ^ ^ 

The left hand part of this equation is equal to -1 when t = 0. So, taking all these 
arguments into account, from (9) we conclude that 



a.(2'"+i) 



22" (mod 2™-'^+!), if^T^O; 

-22""°"' (mod 2™-"+!), ifi==0. 



The latter proves statements (i) and (ii) since it easily implies that 

{1 (mod 2), ifm = s, i = 0; 

2 (mod 4), if m = s + 1, t 0; 

(mod 2™~'*+i), in all other cases. 
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Finally, if to > s > 1, then combining together lemmas 5.1 and 5.2, we obtain that 

(7,(2™ - 1) = 2^ ^ J (mod 2™-'*+!). 

i=i ^ ^ ^ ' 

Now, applying a well-known identity ^^Kk) ~ 2"~"'^?t-, we conclude that 

a,(2™ - 1) = 22""°-!+'' (2"'-" - 1) (mod '2^-'+^). 

This proves (iii) and the lemma. □ 

Now everything is ready to prove theorem 5.1. We start with the statement 1°. 
The operation XOR and, consequently, the function / are compatible. Now, acting 
as in we conclude that 

n n n oo 

fix) = a + Y^ aA + J2^'^~'^J2Y1 '^^^k{x)5k{bi). 

1=1 i=l 1=1 k=0 

Now, considering interpolation series for Sk (x) and taking into the account that (in 
view of lemma 5.1) ao{l) = 1 and (7^(1) = for i = 1, 2, 3, . . . , we obtain: 



fix) 



n , n n s oo 

a + ^a,6,+.Tf^a,-2^5o(&«)j - ^1 ( ■ j'^J' 

j=l ^1=1 1=1 ' 1=2 ' 



where Sj = '^^=i'^'kLo'^''^^'^k{j)Sk{bi)- Lemma 5.3 immediately implies that for 
k>2 



2^-+Vfc(j) 



'O (mod 2Li°g2iJ+i), if j = 2'^,2'=+i; 
(mod 2L'°S2iJ+2)^ otherwise. 



Now theorem 4.1 implies that / preserves measure (resp., is ergodic) if and only if 
J27=i = 1 (mod 2) (resp., if and only if a + X]"=i = 1 (mod 2) and X]"=i + 
2 X]"=i bi = 1 (mod 4)). This is obviously equivalent to the statement 1° of theorem 
5.1. 

To prove statement 2° of the theorem we first note that the functions Si for i > 
are not compatible. As (7^(0) = for i > (see lemma 5.1), we have 



oo 

' X 



fix) = a + J2['jjYl 



Theorem 4.1 implies now that the function / preserves measure if and only if the 
following congruences hold simultaneously: 



E^o«''^»(l) = 1 (mod 2); 
J:T=o'^^Mj)^0 (mod2Li°g.^J+i), J = 2, 3,, 



(10) 

In view of lemma 5.1, the first of the conditions of (10) is equivalent to the congru- 
ence 

(11) ao = 1 (mod 2). 
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Moreover, lemma 5.1 implies that <Ji{j) = for i > [log2jJ. Hence, the second of 
the conditions (10) is equivalent to the following system of congruences: 

(12) ^Mj)^0 (mod2Li°s^^"J+i), j = 2,3,.... 

1=0 

Consider the following subsystem of system (12) for j = 2'^, fc = 1, 2, 3, . . .: 

k 

(13) ^a,cri(2'^') = (mod 2*^+1), fc = 1,2,3,... 

i=0 

We assert that 2-adic integers Oi satisfy system of congruences (13) if and only if 
fli = 2' (mod 2*+^), z = 0, 1, 2, . . .. We proceed with induction on i. If i = 1, then 
applying lemma 5.1 for fc = 1 we conclude that 

(14) 2ao + aicri(2) = (mod 4). 

In view of (ii) of lemma 5.3, the 2-adic integer (Ti{2) has a multiplicative inverse in 
Z2, so in view of (11) congruence (14) is equivalent to the congruence 

oi = 2 (mod 4). 

Now let the statement under the proof be true for fc < n; consider the congruence 

n 

(15) Ya^a^{2") = (mod 2"+^). 

1=0 

By induction hypothesis, ai = 2' + Si2*+^ {i = 0,1, . . . ,n — 1) for suitable Si £ 
Z2. Then, taking into the account statement (ii) of lemma 5.3, we conclude 
that aicr,(2") EEE 2"+i (mod 2"+^) for i = 0, 1, . . . , n - 2 and a„_icr„_i (2") = 
2" (mod 2"+^). Hence, congruence (15) is equivalent to the congruence 2" + 
a„(T„(2") = (mod 2"+^). As o'„(2") is a unit of Z2 (by virtue of (ii) of lemma 
5.3), the latter congruence implies that a„ = 2" (mod 2"+^). 

From (i) of lemma 5.3 we easily conclude that if ai = 2' (mod 2*+^), then 
also satisfy each congruence of the system (12) for those j which are not powers of 
2. This means that the set of conditions (10) is equivalent to the following set of 
congruences: 

ai = 2' (mod2'+i), i = 0, 1, 2, 3, . . . . 
Thus we have proved the second part of the statement 2° . To prove the first part 
of this statement we note that since [log2(« + 1)J + 1 = Llog2 «J + 1 for i 7^ 2^^ — 1, 
the sufficient and necessary conditions for the function / to be ergodic (see theorem 
4.1) in the case under consideration have the following form: 

(16) a = 1 (mod 2); 

(17) 5^a,a,(l)=0 (mod 4); 

1=0 

00 

(18) ^a,a,(j) = (mod2Li°g^^"J+i), j = 2,3,4,...; 

i=0 



(19) 



00 

^aicri(2'= - 1) = (mod 2*=+^), k = 2,3,4, 

i=0 
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As ai{l) ~ for i 7^ (see lemma 5.1), then (17) is equivalent to the following 
condition: 

(20) ao = 1 (mod 2). 

During the proof of the second part of the statement 2° we have established that 
if ao = 1 (mod 2) (and, in particular, if (20) is satisfied) then the conditions (18) 
are equivalent to conditions 

(21) a, = 2' (mod 2^+1), (^ = 1, 2, 3, . . .)• 

Finally, combining together statements (i) of lemma 5.3 and of lemma 5.1 we con- 
clude that that if 2-adic integers at {i = 0, 1, 2, . . .) satisfy conditions (21) and (20) 
simultaneously, then ai also satisfy conditions (19). Thus, the union of conditions 
(16) — (19) is equivalent to the union of conditions (16), (20), and of (21). This 
proves the first part of the statement 2° and the whole theorem 5.1. □ 

6. Estimates of randomness 

Loosely speaking, within a context of this paper a PRNG is an algorithm that 
takes a short binary word (an initial state, a seed) and stretches it to a much longer 
word, which for any seed must look like random, that is, like a sequence of fair coin 
tosses. Given a seed, the whole period of the produced sequence (which is neces- 
sarily periodic) is never used in practice. However, the period must be very long 
and as 'random- looking' as possible. In most applications (e.g., in cryptography), a 
period of the output sequence much be exponentially longer than the seed, and the 
algorithm must be fast; whence, the corresponding program cannot be complicated. 
Thus, designing a PRNG is a kind of paradox: On the one hand, the outputted 
string must 'look like random' (say, must have high Kolmogorov complexity); on 
the other hand, the generating program must be short, whence, the Kolmogorov 
complexity of the produced sequence will be necessarily low. 

In real life settings they often agree that the output sequence 'looks sufficiently 
random' whenever it passes certain (in some cases, rather limited) number of statis- 
tical tests. In particular, the outputted string must have no obvious structure using 
which one can, given a segment of the output sequence, predict with high prob- 
ability the next bit. Of course, at least some sequences generated by compatible 
ergodic transformations of the space Z2 are highly predictable, e.g., sequences (even 
truncated ones) produced by linear congruential generators, see [31] and references 
therein. Note that recently there were developed a number of effective prediction 
methods for machine learning, e.g. transduction [32], conformal prediction and 
some others, see [34]. It would be very interesting to understand what sequences 
generated by compatible ergodic transformations of the space Z2 can be predicted 
by these methods. However, this question is outside the scope of the given paper 
and can be a theme of a future work. 

In this section we pursue a much less ambitious goal: We study distributions and 
structural properties of sequences produced by compatible ergodic transformations 
of the space Z2 in order to demonstrate that at least with respect to some tests 
based on distribution of patterns these sequences are good. 

A word of caution: For some convenience during proofs, throughout this section 
speaking of base-2 expansions, as well as of 2-adic representations, we read them 
from left to right, so 1101 means 1101000 . . .; and 1101 is a base-2 expansion of 11, 
and not of 13! 
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6.1. Distribution of fc-tuples. Whenever / is a compatible ergodic transforma- 
tion of tlie space Z2, tlie sequence T„ = {zi = mod 2"}^q is strictly uni- 
formly distributed as a sequence of binary words of length n (see section 3). How- 
ever, for applications it is important to study distributions of a binary sequence T^^ 
obtained from T by concatenation of these n-bit words: However, one could consider 
the same sequence as a binary sequence and ask what is a distribution of n-tuples 
in this binary sequence. Strict uniform distribution of an arbitrary sequence 7 as a 
sequence ouerZ/2"Z does not necessarily imply uniform distribution of overlapping 
n-tuples, if this sequence is considered as a binary sequence! 

For instance, let T be the following strictly uniformly distributed sequence over 
Z/4Z with period length exactly 4: T = 023102310231 . . .. Then its representation 
as a binary sequence is T' = 000111100001111000011110... Obviously, when we 
consider T as a sequence over the residue ring Z/4Z, then each number of {0, 1, 2, 3} 
occurs in the sequence with the same frequency j . Yet if we consider T as a binary 
sequence, then 00 (as well as 11) occurs in this sequence with frequency |, whereas 
01 (and 10) occurs with frequency i. Thus, the sequence T is uniformly distributed 
over Z/4Z, and it is not uniformly distributed over Z/2Z. 

In this subsection we show that this effect does not take place for the sequences 
In'- Considering this sequence as a binary sequence, a distribution of k-tuples is 
uniform, for all k < n. Now we state this property more formally. 

Consider a (binary) n-cycle C = (eo^i • ■ • £n-i); that is, an oriented graph with 
vertices {ao, ai, . . . , a„^i} and edges 

{(ao, fli), (oi, 02), . . . , (a„_2, fln-i), (fln-i, flo)}, 

where each vertex Oj is labelled with Sj E {0, 1}, 7 = 0, 1, . . . , n — 1. (Note that 
then (eoEi . . . £„-i) = (e„-ieo • • • en-2) = • • etc.). 

Clear, each purely periodic sequence § over Z/2Z with period ao...Q;„_i of 
length n could be related to a binary n-cyclc C(§) = (ao • ■ • ctn-i)- Conversely, to 
each binary n-cycle (ao • ■ • a„_i) we could relate n purely periodic binary sequences 
of period length n: They are n shifted versions of the sequence 

ao . . . a„_iao . . . a„-i . . . , 

that is 

ai . . . a„_iaoai . . . a„_iao ■ ■ ■ , 

a2 . . . a„_iaoaia2 . . . a„_iaoai . . . , 

a„_iaoaia2 . . . a„_2a„_iaoaia2 . . . a„_2 . . . 

Further, a k-chain in a binary n-cycle C is a binary string /3o . . .Pk-ii k < n, 
that satisfies the following condition: There exists j g {0, 1, ... ,71 — 1} such that 
Pi = £{i-\-j) mod n for i = 0, 1, . . . , k — 1. Thus, a fc-chain is just a string of length k 
of labels that corresponds to a chain of length fc in a graph C. 

We call a binary n-cycle C k-full, if each fc-chain occurs in the graph C the same 
number r > of times. 

Clearly, if C is fc-fuU, then ~ 2'^r. For instance, a well-known De Bruijn 
sequence is an n-fuU 2"-cycle. It is clearly that a fc-fuU n-cycle is (A; — l)-full: Each 
(fc — l)-chain occurs in C exactly 2r times, etc. Thus, if an n-cycle C(§) is fc-fuU, 
then each m-tuple (where 1 < m < fc) occurs in the sequence S with the same 
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(22) 



probability (limit frequency) That is, the sequence § is k- distributed, see [21, 
Section 3.5, Definition D]. 

Definition 6.1. A purely periodic binary sequence § with period length exactly 
N is said to be strictly k-distributed if and only if a corresponding A'^-cycle C(S) is 
k-Ml. 

Thus, if a sequence § is strictly fc-distributed, then it is strictly s-distributed, for 
all positive s < k. 

A fc-distribution is a good 'indicator of randomness' of an infinite sequence: 
The larger fc, the better the sequence, i.e., 'more random'. The best case is when 
a sequence is fc-distributed for all k = 1,2,.... Such sequences are called oo- 
distributed. Obviously, a periodic sequence can not be oo-distributed. 

On the other hand, a periodic sequence is just an infinite repetition of a finite 
sequence, the period. So we are interested in 'how random' this finite sequence 
(the period) is. Of course, it seems very reasonable to consider a period of length 
n as an n-cycle and to study a distribution of fc-tuples in n-cycle; for instance, if 
this n-cycle is fc-fuU, the distribution of fc-tuples is strictly uniform. However, other 
approaches also exist. 

In [21, Section 3.5, Definition Ql] there is considered the following 'indicator 
of randomness' of a finite sequence over a finite alphabet A (we formulate the 
corresponding definition for A = {0, 1}): a finite binary sequence eoEi . . . ejv-i of 
length N is said to be random (sic!), if and only if 

lyjPo . . . f3k-i) 1 ^ 1 
N 2*= - VAf 

for all < fc < log2 iV, where v{I3q . . . (3k-i) is the number of occurrences of a 
binary word (3q . . . (3k-i in a binary word EqEi . . . En-i- If a finite sequence is 
random in the meaning of this Definition Ql of [21], we shall say that it has a 
property Ql, or satisfies Ql. We shall also say that an infinite periodic sequence 
satisfies Ql if and only if its exact period satisfies Ql. Note that, contrasting to 
the case of strict fc-distribution, which implies strict (fc — l)-distribution, it is not 
enough to demonstrate only that inequality (22) holds for fc ~ [logj A^J to prove a 
finite sequence of length A^ satisfies Ql: For instance, a sequence 1111111100000111 
satisfies (22) for fc = [log2 n\ = 4, and does not satisfy (22) for fc — 3. Note that 
an analog of property Ql for odd prime p could be stated in an obvious way. 
Now we are able to state the following theorem. 

Theorem 6.1. Let be a binary representation of the sequence T„ (hence is a 
purely periodic binary sequence of period length exactly n2"). Then the sequence 
is strictly n-distributed. Moreover, this sequence satisfies Ql. 

Proof. Let = CoCi ■ • ■ be a binary representation of the sequence T„. Take an 
arbitrary binary word b = /?o/3i . ■ . Pn-i, Pj G {0, 1}, and for fc e {0, 1, . . . , n — 1} 
denote 

J^/c(b) = 

|{r: < r < n2"; r = fc (mod n); 

Ci-Cr+l ■ • ■ Cr+n-1 = PoPl . . . 

Obviously, ut^ih) is the number of occurrences of a rational integer z with base-2 
expansion /3o/3i . . ■ Pn-i at the exact period of the sequence Z. Hence, voih) — 1 
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since the sequence T„ is strictly uniformly distributed modulo 2". Now consider 
i^fc(b) for < A: < n. 

Fix k G {l,2...,n — 1} and let r = fc + tn. Since / is compatible, then 
CrCr+i ■ ■ ■ Cr+n-i = PoPi ■ ■ ■ Pn-i holds if and Only if the following two relations 
hold simultaneously: 

(23) C,tn+kCtn+k+l ■ ■ ■ Ctn+n-1 = PoPl ■ ■ ■ (3n-k-l 



(24) ft{CtnCtn+l ■ ■ ■ Ctn+k-l) = 

Pn-kPn-k+l ■ ■ ■ Pn-1 (mod 2*^). 

Here 7071 ■ • • 7s = 7o + 71 • 2 H h 7^ • 2Mor 70, 71, . . . , 7^ e {0, 1} is a rational 

integer with a base-2 expansion 7071 ■ ■ ■7s. 

For a given b = /3o/?i • ■ • Pn-i congruence (24) has exactly one solution a^ai . . . ak-i 
modulo 2'^, since / is ergodic, whence, bijective modulo 2'^. Thus, in view of (23) 
and (24) we conclude that CrCr+i • • • Cr+n-i = PoPi ■ ■ ■ Ai-i holds if and only if 

(25) CsCs+i ■ • ■ Cs+n-i = aoai . . . ak-if3o/3i . . . (3n-k-i, 

where s = tn. Yet there exists exactly one s = (mod n), < s < 2"n such 
that (25) holds, since every element of Z/2"Z occurs at the period of T„ exactly 
once. We conclude now that J^fc(b) = 1 for all k G {0, 1, . . . ,n — 1}; thus, !^(b) — 
Sj=o '^jO^) ~ ^'^^ ^- This means that the (ri,2")-cycle C('J^) is ri-fuU, whence, 
the sequence is strictly n-distributcd. This completes the proof of the first 
assertion of the theorem. 

To prove the second assertion note that in view of the first assertion every m-tuple 
for 1 < m < n occurs at the n2"-cycle C('J^) exactly 2"~'"n times. Thus, every such 
m-tuple occurs 2"~'"n — c times in the finite binary sequence In = zqZi . . . Z2"-i, 
where z for z S {0,1,..., 2" — 1} is an n-bit sequence that agrees with basc-2 
expansion of z. Note that c depends on the rn-tuplc, yet < c < m — 1 for every 
m-tuple. Easy algebra shows that (22) holds for these m-tuplcs. 

Now to prove that satisfies Ql we have only to demonstrate that (22) holds 
for m-tuples with m ~ n-f d, where < d < log2 n. We claim that any such m-tuple 
occurs in the sequence T„ not more than n times. 

Indeed, in this case CrCr+i . . . Cr+n+d-i = PoPi ■ ■ ■ Pn+d-i holds if and only if 
besides the two relations (23) and (24) the following extra congruence holds: 

f{CtnCtn+l ■ ■ ■ Ctn+k-lPof3l ■ ■ ■ Pd-l) = 

Pn-k^n-k+l-.-Pn+d-l (mod2*^+'*), 

where k = r mod n. Yet this extra congruence may or may not have a solution 
in unknowns Ctn, Ctn+i. • • ■ . Ct«+fc-i; this depends on (iaPi . . . Pn+d-i- But if such 
solution exists, it is unique for a given k G {0, 1, . . . , n — 1}, since / is ergodic, 
whence, bijective modulo 2'^ for all s = 1,2,.... This proves our claim. Now 
exercise in inequalities shows that (22) holds in this case, thus completing the 
proof of the theorem. □ 

Note 6.2. The second assertion of theorem 6.1 holds for arbitrary prime p. Namely, 
a base-p representation of an output sequence of a congruential generator over 
Z/p"Z of a maximum period length is strictly n-distributed sequence over 'Ljp'L 
of period length exactly p^n, which satisfies Ql. 
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Moreover, the first assertion of theorem 6.1 also holds for a truncated con- 
gruential generator; that is. for a generator 21 of section 3 with output function 
F{x) = modp'^. Namely, a base-p representation of the output sequence of 

a truncated congruential generator over Z/p"Z of a maximum period length is a 
purely periodic strictly k-distributed sequence over Z/pZ of period length p^k. 

The second assertion for this generator holds whenever 2 + p'^ > kp'^~''; thus, 
one could truncate < — logp ^) lower order digits without affecting property Ql. 

All these statements could be proved by slight modifications of the proof of 
theorem 6.1. We omit details. 

6.2. Coordinate sequences. In this subsection, we study some structural prop- 
erties of a binary sequence produced by a compatible ergodic transformation / of 
the space Z2. Clear, a binary sequence §j = {<5j(/'(zo)}i^o (which is called the j-th 
coordinate sequence, is a purely periodic binary sequence of period length 2^^^. 

Moreover, it easy to understand that the second half of the period of every coor- 
dinate sequence §j = sq, si, S2, . . . is a bitwise negation of its first half: 

(26) s,+2^ EESi + l (mod 2), i = 0,1,2,... 

This immediately follows from theorem 4.5 and means, loosely speaking, that the 
j-th coordinate sequence is as complex as the first half of its period. So it is 
important to know what sequences of length 2^ could be outputted as the first half 
of the period of the j-th coordinate sequence; more formally, what values are taken 
by the rational integer 7 = sq + si2 + S22^ + • • - + 52^-12^'"^, for the j-th coordinate 
sequence $j = sq, si, S2, . . . . 

In other words, let ^j{f,z) G Nq be such a number that its base-2 expansion 
agrees with the first half of the period of the j"^ coordinate sequence; i.e., let 

7,(/, z) = 5,{f\z)) + 26,{f\z)) + A5,{f\z)) + • • • 

+ 2^'-'5,{f^'-\z)). 

Obviously, < jj{f,z) < 2?' — 1. The following natural question should be an- 
swered: Given a compatible and ergodic mapping /: Z2 Z2 and a 2-adic integer 
z G Z2, what infinite string 70 = 7o(/, 2^),7i = 7i(/, 2;),72 — 72(7,2),... (where 
7j e {0, 1, . . . , 2^" - 1} for j = 0, 1, 2, . . . j could be obtained? 

And the answer is: any one. Namely, the following theorem holds (which, inter- 
estingly, could be proved by a 'purely 2-adic' argument). 

Theorem 6.2. Let T = {■jj S Nq : j = 0, 1, 2, . . .} be an arbitrary sequence of non- 
negative rational integers that satisfy < 7j < 2^^ — 1 for j = 0, 1, 2, . . .. There 
exists a compatible and ergodic mapping /: Z2 ^ Z2 and a 2-adic integer z G Z2 
such that Sj{z) = <5o(7j), So{f^{z)) = 70 + 1 (mod 2), and 



(mod 2) 



for all i,j £ N. 

Note. The sequence | ~ mod 2: i = 1,2,...| is merely a binary sequence of 

alternating gaps and runs (i.e., blocks of consecutive O's or I's, respectively) of 
length 2^ each. 
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Proof of theorem 6.2. Put z ~ zq ^ X^jlo ^o(7j)2-' and 
Zi = (70 + i) mod 2+ 



E 



Dd 2J 



(7.) 



mod 2 -2^ 



for z = 1, 2, 3, . . . . Consider a sequence Z = {z,; : i = 0, 1, 2, . . .}. Speaking infor- 
mally, we are filling a table with countable infinite number of rows and columns in 
such a way that the first 2-' entries of the j-th column represent 7j in its base-2 
expansion, and the other entries of this column are obtained from these by apply- 
ing recursive relation (26). Then each i'^ row of the table is a 2-adic canonical 
representation oi Zi £ Z . 

We shall prove that Z is a dense subset in Z2, and then define / on Z in such 
a way that / is compatible and ergodic on Z . This will imply the assertion of the 
theorem. 

Proceeding along this way we claim that Z mod 2'^ = Z/2''Z for all fc = 1, 2, 3, . . ., 
i.e., a natural ring homomorphism mod 2^ : z ^ z mod 2^ maps Z onto the residue 
ring Z/2'^Z. Indeed, this trivially holds for k ~ \. Assuming our claim holds for 
k < m we prove it for k =: m. Given arbitrary t e {0, 1, . . . , 2™ — 1} there exists 
z, e Z such that z, = t (mod 2™"!). If z,; ^ t (mod 2™) then 5„,-i{z,) = S„i-i{t) + 
1 (mod 2) and thus (5m-i(^i+2™-i ) = Sm-i{t) (mod 2). However, Zj_|_2m-i = Zi 
(mod 2™-!). Hence z,+2^-i = t (mod 2™). 

A similar argument shows that for each k E N the sequence {zi mod 2'^'}^q is 
purely periodic with period length 2*^, and each t £ {0, 1, . . . , 2*^ — 1} occurs at 
the period exactly once (in particular, all members of Z are pairwise distinct 2-adic 
integers). Moreover, i = i' (mod 2*^) if and only if z,; = Zj/ (mod 2*"'). Consequently, 
Z is dense in Z2 since for each t E Z2 and each fc € N there exists Zi £ Z such 
that \\zi — t\\2 < 2~^ . Moreover, if we define f{zi) = z^+i for all i = 0, 1, 2, . . . then 

||/(Zi) - f{Zi,)h - 11^^+1 - Z,, + ih = ||(» + 1) - (*' + 1)||2 = II* - *'||2 = \\Z^ - ZHI2. 

Hence, / is well defined and compatible on Z\ it follows that the continuation of / 
to the whole space Z2 is compatible. Yet / is transitive modulo 2^ for each A: e N, 
so its continuation is ergodic. □ 



7. Conclusion 

In this paper, we demonstrate that, loosely speaking, a contemporary digital 
computer 'thinks 2-adically': Most common processor instructions, both numerical 
(i.e., arithmetic, e.g. addition, multiplication), logical (such as bitwise OR, and, xor, 
not) and machine (left and right shifts) are continuous functions with respect to 
2-adic metric. Hence, a computer program which is combined from these operators 
is a continuous function defined on (and valuated in) the space of 2-adic integers. 
So we believe that natural metric for a digital computer is non- Archimedean: The 
sequence of states of a program (as we have demonstrated by example of programs 
that generate pseudorandom numbers) admits an adequate description as a smooth 
trajectory in the non- Archimedean metric space. If so, a digital computer is likely 
to be perfect for simulating non- Archimedean dynamics, and not as good for sim- 
ulating Archimedean systems. 

The later phenomenon was already noticed in numerical analysis: For instance, 
paper [27] reads: 
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Digital computers are absolutely incapable of showing true long- 
time dynamics of some chaotic systems, including the tent map, the 
Bernoulli shift map and their analogues, even in a high-precision 
floating-point arithmetic. 

Note that both these dynamical systems, the tent map and the Bernoulli shift 
map, are ergodic. However, theoretical analysis, as well as 1000 computer verifi- 
cations in [27] demonstrate that behaviour of corresponding computer programs is 
not ergodic: 

It is found that all chaotic orbits will be eventually converge to 
zero within A^^ iterations, and that the value of Nr is uniquely 
determined by the details of digital floating-point arithmetic. 

Moreover, inspired by results of [27] we undertook our own study of discrete ver- 
sions of these two maps, supported by computer experiments based on fixed-point 
(actually, integer) arithmetic instead of fioating-point one. Namely, we considered 
a map as a discrete analog of the Bernoulli shift map, 

andamapr„: x 2-^^^^^^-^— .t-(x and 1) (mod 2"), as a discrete analog of the tent 
map. Both these maps are transformations of the set {0, 1, . . . , 2" — 1} = Z/2"Z, 
and elements of latter set can be put into a correspondence with real numbers in 
[0, 1] via the Monna map, 

n—\ n—1 

x^Y. ^ E '^^'(2^)2"'"' e [0, 1]. 

i=0 i=0 

e.g., 2= ... 0010 < — y i, 3 = . . . 0011 < — > \ + \ = j^ etc. Up to this correspon- 
dence, both Bn and r„ give the same plots in a unit square as, respectively, the 
Bernoulli shift and the tent map, being restricted to real numbers with n binary 
digits after the point. However, both _B„ and T„ are not ergodic either: _B„ con- 
verges to after at most n iterations, and r„ always falls in short cycles, of length 
n at most. 

This effect cannot occur for truly ergodic maps: Loosely speaking, ergodic trans- 
formations have no invariant subsets, except of subsets of measure and of full 
measure. Thus, any ergodic transformation of a finite set (which is endowed with 
a natural probabilistic uniform measure) must necessarily be transitive, i.e., must 
permute all elements of the set cyclically. In other words, these considerations show 
that computer simulations of Archimedean ergodic systems are indeed inadequate, 
since the corresponding programs clearly exhibit a non-ergodic behaviour. 

On the contrary, results of the present paper demonstrate that whenever one 
considers ergodic transformation of the space of 2-adic integers that satisfy Lipschitz 
condition with a constant 1, any restriction of this transformation to n-bit precision 
remains ergodic: Thus, digital computers are perfect for simulating behaviour of 
these 2-adic dynamical systems: In the paper, the corresponding dynamics was 
used to construct effective pseudorandom generators with prescribed characteristics. 
Numerous computer experiments with these programs (e.g., the ones undertaken 
during the development of the ABC stream cipher [8]) are in full agreement with the 
theory presented above. At our view, these considerations give us another evidence 
that a non-Archimedean (namely, 2-adic) metric is natural for digital computers, 
whereas the Archimedean metric is not. 
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Yet another evidence is given by the foUowing observation: Every digital com- 
puter, even the simplest one, can, by its very origin, properly operate with 2-adic 
numbers. Let's undertake the following 'computer experiment'. Start MS Windows 
XP, run a built-in Calculator. Switch to Scientific mode. Press Dec (that is, switch 
to decimals), press 1, then +/-. The calculator returns -1, as prescribed. 

Now, press Bin, switching the calculator to binaries. The calculator returns ...111 
(64 ones), a 2-adic representation of -1, up to the highest precision the calculator 
could achieve, 64 bits. (Here a programmer will most likely say that the calculator 
just uses the two's complement). 

Now press Dec again; the calculator returns 18446744073709551615. This num- 
ber is congruent to -1 modulo 2^^. Now press successively / , 3, =, Bin, thus divid- 
ing the number by 3 and representing the result in a binary form. The calculator 
returns ...10101010101, a 2-adic representation of -1/3, with 2-adic precision 2~^^. 
Indeed, switching back to Dec wc obtain 6148914691236517205, a multiplicative 
inverse to -3 modulo 2^^. 

This toy experiment could be performed on most calculators. However, some- 
times a calculator returns an erroneous result. This usually happens when a cor- 
responding program is written in a higher-order language. Very loosely speaking, 
the capability of a calculator to perform 2-adic arithmetic depends on how the 
corresponding program is written: programs written in assembler usually are more 
capable to perform 2-adic calculations than the ones written in higher-level lan- 
guages. Programmers use assembler when they want to exploit CPU's resources 
in the most optimal way; e.g., to store negative numbers they use the two's com- 
plement rather than reserve special registry for a sign. But the usage of the two's 
complement of x (that is, of not a;) is just a way to represent a negative integer in a 
2-adic form, —x = I + notx, see equations (1) of Section 3. Thus, we might conclude 
that a CPU is used in a more optimal way when it actually works with binary words 
as with 2-adic numbers. Thus, a CPU looks more 'non- Archimedean-oriented' than 
'Archimedean-oriented' . 

We human beings are Archimedean creatures: We agree that the surrounding 
physical world is Archimedean judging by numerous experiments. Our experience 
gives us a strong evidence that trajectories of a physical (especially, mechanical) 
dynamical system admit (as a rule) adequate descriptions by smooth curves in an 
Archimedean (Euclidean) metric space. Moreover, we can simulate behaviour of 
these mechanical systems by other physical processes, e.g., by electrical ones: This 
way we come to analog computers that can simulate processes of our physical (at 
least, mechanical) world with arbitrary high precision since their internal basic 
operators are continuous functions with respect to Archimedean metric. 

But then, if we sec that a digital computer cannot simulate long-time dynamics 
even of rather simple Archimedean dynamical systems, yet can simulate with arbi- 
trarily high precision non- Archimedean dynamics, we probably should agree that 
digital computers are a kind of non- Archimedean devices, something like analog 
computers for the non- Archimedean world, since their internal basic operators are 
continuous functions with respect to the 2-adic (i.e., non- Archimedean) metric. 

We believe that these considerations must be taken into account while simulating 
dynamical systems on digital computers: Probably, the simulation will be adequate 
for non- Archimedean dynamical systems, whereas for non- Archimedean ones it will 
be not. 
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Also, the approach presented in the paper could probably be applied to other 
problems of computer science, and not only to the problem of pseudorandom gener- 
ation. For instance, consider an automaton with a binary input and binary output. 
This automaton actually performs a transformation of the space Z2 of 2-adic in- 
tegers: Each infinite input string of Os and Is the automaton transforms into an 
infinite output string of Os and Is (we suppose that the initial state is fixed). Note 
that every outputtcd i-th bit depends only on the inputted i-th bit and on the 
current state of the automaton. Yet the current state depends only on the previ- 
ous state and on the (i — l)-th input bit. Hence, for every i = 1,2,..., the i-th 
outputted bit depends only on bits 1, 2, . . . , i of the input string. According to the 
results of this paper (see Proposition 3.1), the transformation of Z2 performed by 
the automaton is compatible, that is, satisfy the 2-adic Lipschitz condition with 
a constant 1 and thus is continuous. So 2-adic analysis can probably be of use in 
automata theory. 
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